QNX-2021-001 Vulnerability in the C Runtime Library Impacts BlackBerry QNX Software Development Platform (SDP), QNX OS for Medical, and QNX OS for Safety
Article Number: 000082334
First Published:
Last Modified: August 17, 2021
Type: Security Advisory
Overview
This advisory addresses an integer overflow vulnerability in the calloc() function of the C runtime library in affected versions of the BlackBerry QNX Software Development Platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 earlier that could potentially allow a successful attacker to perform a denial of service or execute arbitrary code. BlackBerry is not aware of any exploitation of this vulnerability.
BlackBerry investigates all reports of security vulnerabilities affecting supported products and services. A security advisory is issued once the investigation is complete and the software update is released. Installing the recommended update(s) in this advisory will help maintain the security of your BlackBerry product(s).
VULNERABILITY INFORMATION
BlackBerry investigates all reports of security vulnerabilities affecting supported products and services. A security advisory is issued once the investigation is complete and the software update is released. Installing the recommended update(s) in this advisory will help maintain the security of your BlackBerry product(s).
VULNERABILITY INFORMATION
| Vulnerability Categories | Vulnerability Details |
| CVE Identifier | CVE-2021-22156 |
| Vulnerability Type | Denial of Service or arbitrary code execution |
| CVSS Score | 9.0 |
| Affected Product(s) | This issue exists in the calloc() function in the C runtime library included with:
https://www.qnx.com/support/knowledgebase.html?id=5015Y000001SX2z |
| Affected Component(s) | C runtime library - All programs inherit this vulnerability if they have a dependency on the C runtime. |
| Non-Affected Product(s) |
|
| Who Should Read This Advisory/Apply Software Update(s) | Developers, administrators and project managers who develop, maintain, or support affected QNX-based systems. Manufacturers of products which incorporate affected QNX-based systems. |
| Requirements for Attacker to be Successful | In order to exploit this vulnerability, an attacker must have control over the parameters to a calloc() function call and the ability to control what memory is accessed after the allocation. To remotely exploit this vulnerability, an attacker would require network access and the devices would need to have a vulnerable service running and exposed. |
| Impact if Requirements are met | A successful attacker could exploit the integer overflow in the calloc() function for denial of service or arbitrary code execution. |
| Mitigation(s) | Ensure that only ports and protocols used by the application using the RTOS are accessible, blocking all others. Follow network segmentation, vulnerability scanning, and intrusion detection best practices appropriate for use of the QNX product in your cybersecurity environment to prevent malicious or unauthorized access to vulnerable devices. |
| Workaround(s)/Recommendation(s) All workarounds should be considered temporary measures. BlackBerry recommends that customers install the latest update(s) to protect their systems. | There are no known workarounds for this vulnerability. Customers will reduce the possibility of exploitation by enabling the capability for ASLR to randomize process segment addresses. To enable ASLR, use the -mr option with procnto. Customers who are able to enable ASLR should do so. In addition, to eliminate the likelihood of an issue occurring, integrators whose systems are based on an affected QNX product should:
|
| Software Update(s) | The updates listed above are now available through the QNX Download Center here:
To access these links, you must be logged in to your myQNX account. If you have received updates through a services engagement or are not sure whether this advisory applies to your specific BlackBerry QNX products, please contact your BlackBerry QNX support representative for assistance. Entities who use the vulnerable product for a purpose which is regulated by law for safety or security should follow all relevant safety or security guidance from regulatory agencies as to the secure configuration of their device. |
More information
Where can I read more about the security of BlackBerry products and services?
For more information on BlackBerry security visit http://www.blackberry.com/psirt.
ReferencesCISA Alert: https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04
CCCS Alert: https://cyber.gc.ca/en/alerts/control-systems-blackberry-qnx-security-advisory
Microsoft Alert: https://msrc-blog.microsoft.com/2021/04/29/badalloc-memory-allocation-vulnerabilities-could-affect-wide-range-of-iot-and-ot-devices-in-industrial-medical-and-enterprise-networks/
Definitions
CVE
Common Vulnerabilities and Exposures is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.
CVSS
Common Vulnerability Scoring System is a vendor agnostic, industry open standard designed to convey the severity of a vulnerability. CVSS scores may be used to determine the urgency for update deployment within an organization and can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSSv3 in vulnerability assessments to present an immutable characterization of security vulnerabilities. BlackBerry assigns all relevant security vulnerabilities a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.
Mitigations
Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.
Workarounds
Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack.
Common Vulnerabilities and Exposures is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.
CVSS
Common Vulnerability Scoring System is a vendor agnostic, industry open standard designed to convey the severity of a vulnerability. CVSS scores may be used to determine the urgency for update deployment within an organization and can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSSv3 in vulnerability assessments to present an immutable characterization of security vulnerabilities. BlackBerry assigns all relevant security vulnerabilities a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.
Mitigations
Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.
Workarounds
Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack.
Legal Disclaimer
All data and information provided in this advisory (“Information”) are provided for informational purposes only and are provided “as is” without any warranties or guarantees, express or implied, including without limitation, any warranties or guarantees relating to the accuracy or reliability of the contents of the Information. In no event shall BlackBerry Limited and/or its subsidiaries and affiliates (“BlackBerry”) be liable to any party for any direct, indirect, special, punitive, consequential, or incidental damages in connection with any reliance on or use of the Information, including without limitation, loss of business revenue or earnings, lost data, damages caused by delays, lost profits or a failure to realize expected savings or revenues, even if BlackBerry was expressly advised of the possibility of such damages.
Change Log
08-17-2021
Initial publication
Initial publication