A vulnerability in BlackBerry’s QNX Real-Time Operating System (RTOS) could pose a serious security risk to critical infrastructure providers, the US government has warned.
Microsoft first discovered the so-called “BadAlloc” flaws in April. These remote code execution (RCE) bugs cover over 25 CVEs and take the form of integer overflow or wraparound vulnerabilities, it said at the time.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning that the QNX RTOS is vulnerable to one of them, CVE-2021-22156, potentially enabling an attacker to perform denial-of-service or remotely control sensitive systems. It has a CVSS score of 9.0, marking it as “critical.”
Although no current reports suggest the bug has been exploited in the wild, CISA urged any organizations “developing, maintaining, supporting, or using” affected systems to patch immediately.
The issue is more urgent given the widespread deployment of QNX in critical infrastructure. BlackBerry claims that the RTOS “is trusted in more than 195 million vehicles” and embedded in systems across “aerospace and defense, automotive, commercial vehicles, heavy machinery, industrial controls, medical, rail and robotics.”
The US Food and Drug Administration has also issued a bulletin, claiming that medical device manufacturers are currently assessing and working to mitigate the vulnerability.
It has been reported that BlackBerry officials first denied that BadAlloc affected their software and then chose not to go public with the news when the flaws were first revealed several months ago.
However, this stance changed after the firm concluded that it could not identify all affected downstream customers that may be using the RTOS via OEM-ed products, according to Politico.
“Software supply chain issues are main stage now, and are the gateway drug to extortion, ransomware, and botnets,” argued BreachQuest CISO, AJ King.
“It’s always better to take early, proactive measures to show your consumers that you’re doing everything in your power to keep their data — and in this case their physical security — safe.”