BlackBerry QNX C Runtime Vulnerability

Overview

QNX is used in millions of vehicles as well as embedded systems in industries such as aerospace, automotive, defence, industrial controls, and medical, among others.

QNX Real-Time Operating System (RTOS) is affected by a BadAlloc vulnerability (CVE-2021-22156) in the calloc() function of the C runtime library. The vulnerability has been given 9.0 out of 10 score against CVSSv3.

Impact

This could allow a remote attacker remote code execution (RCE) or to perform a Denial of Service (DoS) on affected systems.

Vulnerability Detection

If you are running any of the versions of QNX listed below, you are vulnerable to this exploit.

Affected Products

Products based on the following are affected:

QNX SDP 6.5.0SP1
QNX SDP 6.5.0
QNX SDP 6.4.1
QNX SDP 6.4.0
QNX Momentics Development Suite 6.3.2
QNX Momentics 6.3.0SP3
QNX Momentics 6.3.0SP2
QNX Momentics 6.3.0SP1
QNX Momentics 6.3.0
QNX Momentics 6.2.1b
QNX Momentics 6.2.1
QNX Momentics 6.2.1A
QNX Momentics 6.2.0
QNX Realtime Platform 6.1.0a
QNX Realtime Platform 6.1.0
QNX Realtime Platform 6.0.0a
QNX Realtime Platform 6.0.0
QNX Cross Development Kit 6.0.0
QNX Development Kit (Self-hosted) 6.0.0
QNX Cross Development Kit 6.1.0
QNX Development Kit (Self-hosted) 6.1.0
QNX Neutrino RTOS Safe Kernel 1.0
QNX Neutrino RTOS Certified Plus 1.0
QNX Neutrino RTOS for Medical Devices 1.0
QNX Neutrino RTOS for Medical Devices 1.1
QNX OS for Automotive Safety 1.0
QNX OS for Safety 1.0
QNX OS for Safety 1.0.1
QNX Neutrino Secure Kernel 6.4.0
QNX Neutrino Secure Kernel 6.5.0
QNX CAR Development Platform 2.0RR

Containment, Mitigations & Remediations

Updates are available for the RTOS and Blackberry is strongly urging all customers to update affected systems immediately. However, third-party products based on the platform require updates to come from the vendor.

Additional best practices such as network segmentation are advised, with unused ports and protocols being disabled or blocked.

To reduce the likelihood of exploitation on the system, QNX supports Address Space Layout Randomization (ASLR). To enable ASLR, use the -mr option with procnto. BlackBerry advise that customers who are able to enable ASLR should do so.

Indicators of Compromise

There are no defined IoCs at this time.

Threat Landscape

CISA noted: Because many affected devices include safety-critical devices, exploitation of this vulnerability could result in a malicious actor gaining control of sensitive systems, possibly leading to increased risk of damage to infrastructure or critical functions.

Further Information

Blackberry QNX Knowledge Base
Security Week – BadAlloc Flaw Impacts Many Systems Running BlackBerry’s QNX Embedded OS
Cybersecurity and Infrastructure Security Agency (CISA) – BadAlloc Vulnerability Affecting BlackBerry QNX RTOS