A severe security flaw in BlackBerry QNX software could put cars and medical equipment at risk and expose highly sensitive systems to attackers, the US drugs regulator and a federal agency said today.
According to BlackBerry, the vulnerability has a Common Vulnerability Scoring System (CVSS V3) rating of 9.0 out 10, which falls in the critical range.
The warning came after BlackBerry disclosed that its QNX Real Time Operating System (RTOS) has a severe vulnerability .
The issue does not impact current or recent versions of the QNX RTOS, but rather versions dating from 2012 and earlier, according to BlackBerry.
BlackBerry issued a public advisory yesterday identifying an integer overflow issue with multiple Real Time Operating Systems (“RTOS”) from multiple vendors, including older versions of the QNX RTOS.
However, other companies affected by the same flaw, dubbed BadAlloc, went public with the news in May.
Two people reportedly familiar with discussions between BlackBerry and federal cybersecurity officials, including one government employee, say the company initially denied that BadAlloc impacted its products at all and later resisted making a public announcement.
The US Cybersecurity and Infrastructure Security Agency (CISA) said in a statement:
“The software is used in a wide range of products and its compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the Nation’s critical functions”.
The federal agency that comes under the Department of Homeland Security and the company said they were not yet aware of any case of active exploitation of the flaw.
Medical equipment manufacturers are assessing which systems could be affected and the US Food and Drug Administration said it was not aware of any adverse events.
“FDA is not aware of any confirmed adverse events related to these vulnerabilities,” it said.
“Manufacturers are assessing which equipment or systems may be affected by the BlackBerry QNX cybersecurity vulnerability, evaluating the risk, and developing mitigations, including deploying patches from BlackBerry.”
“BadAlloc”
Microsoft security researchers announced in April that they’d discovered the vulnerability and found it in a number of companies’ operating systems and software.
In May, many of those companies worked with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to publicly reveal the flaws and urge users to patch their devices.
“BadAlloc” is the name assigned by Microsoft’s Section 52 to the family of vulnerabilities discovered in embedded IoT and OT operating systems and software to describe this class of memory overflow vulnerabilities.
All of these vulnerabilities stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more. Microsoft’s research showed that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations.
Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device.
Back in April, Microsoft recommended the following mitigations for organizations with IoT and OT devices:
• Patch. Follow vendor instructions for applying patches to the affected products.
• If you can’t patch, monitor. Since most legacy IoT and OT devices don’t support agents, use an IoT/OT-aware network detection and response (NDR) solution like Azure Defender for IoT and SIEM/SOAR solution like Azure Sentinel to auto-discover and continuously monitor devices for anomalous or unauthorized behaviours, such as communication with unfamiliar local or remote hosts. These are essential elements of implementing a Zero Trust strategy for IoT/OT.
• Reduce the attack surface by eliminating unnecessary internet connections to OT control systems and implementing VPN access with multi-factor authentication (MFA) when remote access is required. The DHS warns that VPN devices may also have vulnerabilities and should be updated to the most current version available.
• Segment. Network segmentation is important for Zero Trust because it limits the attacker’s ability to move laterally and compromise your crown jewel assets, after the initial intrusion. In particular, IoT devices and OT networks should be isolated from corporate IT networks using firewalls.