Memory Bugs in BlackBerry’s QNX Embedded OS Open Devices to Attacks

2021-08-18 14:30

The Cybersecurity Infrastructure and Security Agency and BlackBerry warned in separate alerts Tuesday that threat actors can take over or launch denial of service attacks on devices and critical infrastructure by exploiting what are called BadAlloc bugs tied to BlackBerry's QNX operating system.

QNX is a real-time OS, used in embedded systems such as automobiles, medical devices and handsets.

Industries and devices using the affected QNX OS include aerospace and defense, heavy machinery, rail, robotics, industrial controls and medical devices.

BlackBerry boasted in 2019 QNX is embedded in the infotainment systems of 150 million vehicles ranging from Audi, Ford, Kia and Volkswagen.

BlackBerry put out a security advisory of its own on a BadAlloc-related integer overflow vulnerability in the calloc() function of the C runtime library in specific versions of the BlackBerry QNX. The company said the flaw affects the BlackBerry QNX Software Development Platform version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier.

BlackBerry warned that there are no known workarounds for the vulnerability on BlackBerry QNX SDP version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1.

News URL

https://threatpost.com/blackberrys-qnx-devices-attacks/168772/

#attack #blackberry