[BreachExchange] Memory Bugs in BlackBerry’s QNX Embedded OS Open Devices to Attacks

Fri Aug 20 08:45:41 EDT 2021

https://threatpost.com/blackberrys-qnx-devices-attacks/168772/

The potential danger from a raft of memory-allocation bugs discovered by
Microsoft in April has now spread to older versions of multiple BlackBerry
QNX products.

The Cybersecurity Infrastructure and Security Agency (CISA) and BlackBerry
warned in separate alerts Tuesday that threat actors can take over or
launch denial of service attacks on devices and critical infrastructure by
exploiting what are called BadAlloc bugs tied to BlackBerry’s QNX operating
system (OS).

QNX is a real-time OS, used in embedded systems such as automobiles,
medical devices and handsets. BlackBerry acquired the OS in 2010 when it
bought Quantum Software Systems. Industries and devices using the affected
QNX OS include aerospace and defense, heavy machinery, rail, robotics,
industrial controls and medical devices. BlackBerry boasted in 2019  QNX is
embedded in the infotainment systems of 150 million vehicles ranging from
Audi, Ford, Kia and Volkswagen.

BadAlloc, tracked as CVE-2021-22156, is the name Microsoft’s Section 52
research group gave to 25 critical memory-allocation vulnerabilities
discovered in April that at the time were believed to affect myriad
vendors’ IoT and industrial devices.

“BlackBerry QNX RTOS is used in a wide range of products whose compromise
could result in a malicious actor gaining control of highly sensitive
systems, increasing risk to the nation’s critical functions,” according to
the CISA’s advisory.

CISA warned that all BlackBerry programs with dependency on the C runtime
library are affected by the vulnerability. “Because many affected devices
include safety-critical devices, exploitation of this vulnerability could
result in a malicious actor gaining control of sensitive systems, possibly
leading to increased risk of damage to infrastructure or critical
functions,” the agency said.

BlackBerry put out a security advisory of its own on a BadAlloc-related
integer overflow vulnerability in the calloc() function of the C runtime
library in specific versions of the BlackBerry QNX. The company said the
flaw affects the BlackBerry QNX Software Development Platform (SDP) version
6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for
Safety 1.0.1 and earlier.

So far there is no evidence of active exploitation of BadAlloc on
BlackBerry QXN devices, both the company and the CISA added.

Improper Input Validation

Memory allocation is exactly what it sounds like–the basic set of
instructions device makers give a device for how to allocate memory.
BadAlloc vulnerabilities stem from a systemic issue in which
memory-allocation implementations written throughout the years as part of
devices and embedded software did not incorporate proper input validation,
according to Microsoft. Without these validations, attackers can exploit
the memory allocation function to perform a heap overflow, resulting in
execution of malicious code on a target device.

BadAlloc bugs are attributed specifically to the usage of vulnerable memory
functions that exist across devices, such as malloc, calloc, realloc,
memalign, valloc, pvalloc and more. What makes them so pervasive is that
they can exist in various aspects of devices, including RTOS, embedded
SDKs, and C standard libraries.

CISA and Blackberry strongly urged in separate documentation that all
organizations whose devices use affected QNX-based systems immediately
update to the latest version of the technology and apply mitigations.

BlackBerry warned that there are no known workarounds for the vulnerability
on BlackBerry QNX SDP version 6.5.0SP1 and earlier, QNX OS for Medical 1.1
and earlier, and QNX OS for Safety 1.0.1. However, to avoid exploitation,
system administrators can ensure that only ports and protocols used by the
application using the RTOS are accessible by blocking all others, the
company said.

BlackBerry also advised that administrators follow network segmentation,
vulnerability scanning, and intrusion detection best practices appropriate
for use of the QNX product in their cybersecurity environment “to prevent
malicious or unauthorized access to vulnerable devices.”

CISA also strongly encouraged that critical infrastructure organizations
and other organizations developing, maintaining, supporting, or using
affected QNX-based systems contact BlackBerry to obtain patches for their
products.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210820/c3c90e78/attachment.html>