BlackBerry QNX development platform warns of vulnerability in medical and security versions of the OS

BlackBerry has warned software developers and IoT product makers using its QNX operating system that some versions of its development platform and OS have a vulnerability that should be fixed immediately.

QNX is a real-time embedded operating system used in a wide range of industrial systems including medical ventilators, medical robots, train controls, cars and factory automation systems.

In an advisory issued on Tuesday, the company said that there is an integer overflow vulnerability in the calloc() function of the C runtime library in QNX Software Development Platform (SDP) version 6.5.0SP1 and earlier, Medicare 1.1 and earlier, and QNX. OS. . QNX OS. Security in 1.0.1 and earlier could potentially allow a successful attacker to perform denial of service or execute arbitrary code.

It also said that the vulnerability does not affect current or recent versions of the QNX RTOS, but rather 2012 and earlier versions.

"All potentially affected customers have been notified," the company said in a statement. “BlackBerry has provided software patches to address this issue. Additionally, BlackBerry is providing 24/7 support to customers as needed. At this time none of the customers have indicated that they have been affected."

The full list of affected QNX products is available here.

The company said it is not aware of any exploitation of this vulnerability.

The vulnerability, CVE-2021-22156, has been assigned a general vulnerability score of 9.

Systems that do not have external interfaces are not affected, nor are systems running QNX SDP, QNX OS for Medical, and newer versions of QNX Security.

Blackberry says that to exploit this vulnerability, an attacker must have control over the parameters of the calloc() function call and the ability to control which memory is accessed after allocation. To exploit this vulnerability remotely, an attacker would need network access and the devices would need to be running a vulnerable service and exposed.

It is the latest in a series of vulnerabilities called BadAlloc found in many real-time operating systems (RTOS) and supporting libraries from Amazon, ARM, Google, Texas Instruments and others. Microsoft outlined the problem in April.

According to Politico, BlackBerry has known about the problem for months and has resisted pressure from US cybersecurity officials to make a public announcement. The article stated that representatives of Blackberry called the U.S. Cyber Security and Infrastructure Security Agency (CISA) that they did not believe BadAlloc affected their products, even though CISA concluded that it did.

BlackBerry referred to IT World Canada in its Tuesday statement when asked for comment.

The QNX software development platform, now in version 7, includes the 64-bit Neutrino real-time operating system and the Momentix tool suite. It meets several ISO safety standards for auto and industrial products.

QNX OS for Security is specifically designed for safety-critical embedded systems in medical devices, industrial controls, aerospace control systems, automotive systems, power generation, robotics and rail transportation.

QNX OS for Medical stands for Medical Market. Blackberry says that seven of the top eight medical device manufacturers use QNX in their devices, which include robotics for blood diagnostics, ultrasound imaging, infusion delivery, heart monitoring, resuscitation and surgery.