BlackBerry has publicly disclosed that a BadAlloc vulnerability has affected its QNX Real-Time Operating System (RTOS), which can allow a remote attacker to exploit and cause a denial-of-service condition or execute arbitrary code on affected devices. The BadAlloc collection of vulnerabilities typically affect multiple RTOSs and supporting libraries, across industries using operational technology (OT)/industrial control systems (ICS), and Internet of Things (IoT) devices.
Assigned CVE-2021-22156, the BadAlloc vulnerability affecting BlackBerry QNX RTOS is an integer overflow security loophole that affects the calloc() function in the C runtime library of multiple BlackBerry QNX products, the Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory issued Tuesday. The agency also strongly encouraged critical infrastructure organizations and other entities developing, maintaining, supporting, or using affected QNX-based systems, to patch affected products as quickly as possible.
CISA identified that all BlackBerry programs with dependency on the C runtime library are affected by this vulnerability. “Because many affected devices include safety-critical devices, exploitation of this vulnerability could result in a malicious actor gaining control of sensitive systems, possibly leading to increased risk of damage to infrastructure or critical functions,’ it said in the advisory.
The affected products identified so far include Amazon FreeRTOS version 10.4.1, Apache Nuttx OS version 9.1.0, ARM CMSIS-RTOS2 versions prior to 2.1.3, ARM Mbed OS version 6.3.0, and ARM mbed-ualloc version 1.3.0. David Atch, Omri Ben Bassat, and Tamir Ariel from Microsoft Section 52, and the Azure Defender for IoT research group reported these vulnerabilities to CISA.
BadAlloc was the name assigned in April by Microsoft’s Section 52 to the collection of vulnerabilities discovered in embedded IoT and OT operating systems and software. All of the BadAlloc vulnerabilities stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more. “Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device,” according to the MSRC team.
The exploitation of the BadAlloc vulnerability could lead to a denial-of-service condition or arbitrary code execution in affected devices. To exploit the vulnerability, an attacker must have control over the parameters to a calloc() function call and the ability to control what memory is accessed after the allocation. An attacker with network access could remotely exploit this vulnerability if the vulnerable product is running and the affected device is exposed to the internet, the security agency added.
BlackBerry QNX supplies commercial operating systems, hypervisors, development tools, support and services, purpose-built for critical embedded systems. It helps customers streamline their development efforts to more efficiently launch safe, secure, and reliable systems, and its technology is deployed in embedded systems around the world across a range of industries, including aerospace and defense, automotive, commercial vehicles, heavy machinery, industrial controls, medical, rail and robotics. Compromise of BlackBerry QNX RTOS could result in a malicious actor gaining control of highly sensitive systems, thereby heightening the risk to the nation’s critical functions.
In a separate advisory issued by BlackBerry, the Canadian company said that the integer overflow vulnerability in the calloc() function of the C runtime library in affected versions of the BlackBerry QNX Software Development Platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 earlier that could potentially allow a successful attacker to perform a denial of service or execute arbitrary code. BlackBerry is not aware of any exploitation of the BadAlloc vulnerability, it added.
The Canadian Centre for Cyber Security also released an alert saying that the exploitation of these vulnerabilities could lead to arbitrary memory allocation, resulting in unexpected behavior such as a denial of service or remote code execution. The Cyber Centre advised users and administrators to review the provided web links, perform the suggested mitigations and apply the necessary updates when available.
The US CISA advised critical infrastructure organizations and other organizations involved in developing, maintaining, supporting, or using of the affected QNX-based systems to patch affected products as quickly as possible. Manufacturers of products that incorporate vulnerable versions should contact BlackBerry to obtain the patch, while manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code, in case they need to develop and test their own software patches.
End-users of safety-critical systems should contact the manufacturer of their product to obtain a patch, CISA said. If a patch is available, users should apply the patch as soon as possible. If a patch is not available, users should apply the manufacturer’s recommended mitigation measures until the patch can be applied, it added.