The USA’s CISA and Blackberry simultaneously announced the vulnerability of Blackberry’s QNX division’s Real Time Operating System (RTOS) products to CVE-2021-22156, the so called “Bad Alloc” vulnerability in RTOS products that was recently disclosed. The vulnerability allows for an overflow attack in services that utilize the calloc() function, which would allow for denial of service or remote code execution (RCE). QNX was a major acquisition by the iconic handheld device company Blackberry and specializes in providing RTOS to a wide range of embedded devices and applications. Any RTOS that has not yet been updated to the latest version and patched is vulnerable. These include over 195 million vehicle systems as well as a wide range of medical devices, industrial control systems (ICS), and other embedded devices.
Internet of Things (IoT), ICS, and embedded devices often have legacy, administration, and compatibility concerns which make quick updates and patches unfeasible. No workarounds for mitigating CVE-2021-22156 are known at this time, in cases where the RTOS cannot be updated and patched. Blackberry QNX suggests minimizing attack surface exposure by reducing opportunities to network with affected devices or exposed services where possible, disabling unnecessary services, and turning on the ASLR option (a security feature which randomizes memory addresses) where possible to increase the difficulty of exploiting this vulnerability. No exploitation of this vulnerability has been seen in the wild as of yet, but this can change quickly after disclosure.