14 DAY TRIAL // Older versions of BlackBerry's QNX Real-Time Operating System (RTOS) are vulnerable to a significant vulnerability allowing threat actors to take complete control and damage a wide range of devices, including industrial equipment, medical equipment, and cars.
More than 195 million BlackBerry QNX-based vehicles and integrated systems are being used in a wide range of sectors worldwide, including aircraft, military, commercial vehicles, medical, cars, heavy machinery, industrial controls, rail, and robotics.
The vulnerability in question has the tracking identifier CVE-2021-22156 and a CVSS score of 9.0, according to BlackBerry. So far, we know it is part of BadAlloc, a broader collection of vulnerabilities first discovered by Microsoft in April, and can open a backdoor into affected devices, allowing attackers to disrupt normal operations or execute malicious commands.
There are currently no indications that the flaw is being exploited in the wild
Although there is currently no indication that the vulnerability is being exploited in the wild, CISA said it could allow a threat actor to execute arbitrary code or launch a distributed denial-of-service attack.
The vulnerability in the calloc() function of the C runtime library has been identified in BlackBerry QNX OS for Safety 1.0.1 and earlier, BlackBerry QNX OS for Medical 1.1 and earlier, and BlackBerry QNX SDP Platform versions 6.5.0SP1 and earlier, according to the company's advisory. To protect devices from vulnerabilities, manufacturers of OT and IoT devices, as well as users of devices with QNX-based operating systems, are urged to apply the following fixes:
- QNX OS for Safety 1.0 or 1.0.1: Update to QNX OS for Safety 1.0.2
- QNX OS for Medical 1.0 or 1.1: Update to QNX OS for Medical 1.1.1 or apply patch ID 4846
- QNX SDP 6.5.0 SP1: Update to QNX SDP 6.6.0 or later, or apply patch ID 4844
Blackberry offers the following mitigating recommendations:
In order to prevent hostile and unauthorized access to susceptible devices, follow best practices in the cybersecurity environment related to network segmentation, vulnerability screening, and intrusion detection. At the same time, users should ensure that only the ports and protocols that are used by RTOS are accessible and all others are blocked.