The U.S. Coast Guard, through the Maritime Commons Blog, has recently written a post on BlackBerry regarding the “BadAlloc” vulnerability in their QNX OS versions 6.5 and earlier. Maritime Commons stated, “this should put all organizations on continued alert for threats and vulnerabilities to the cyber landscape.” “BadAlloc” is the name assigned to the family of vulnerabilities discovered in embedded Internet of Things (IoT) and Operational Technology (OT) operating systems and software to describe a class of memory overflow vulnerabilities.
A device with these exploitable vulnerabilities may enable malicious actors to deny system availability, ex-filtrate data, and move laterally within the systems in which they are installed. These malicious actions can lead to consequences for systems and their users, ranging from loss of data and trust to physical harm and loss of life.
On August 17, 2021, BlackBerry publicly disclosed that its QNX Real-Time Operating System (RTOS) is affected by a BadAlloc vulnerability — CVE-2021-22156. BadAlloc is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries. A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices. BlackBerry QNX RTOS is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the Nation’s critical functions.
However, at this time, CISA is not aware of the active exploitation of this vulnerability. Therefore, CISA has also strongly encouraged critical infrastructure organizations and other organizations to develop, maintaining, supporting, or using affected QNX-based systems to patch affected products as quickly as possible. Refer to the Mitigations section for more information about patching.