On August 17, 2021, BlackBerry publicly disclosed that its QNX Real Time Operating System is affected by a BadAlloc vulnerability - CVE-2021-22156. QNX is the world’s most prevalent real time operating system. BadAlloc is a collection of vulnerabilities affecting multiple RTOS and supporting libraries used in a wide range of industries using Internet of Things (IoT), medical devices, and operational technology (OT)/industrial control systems (ICS) devices.
The ACSC suggest users identify where the BlackBerry QNX real time operating system is used in their systems. Individual work areas may need to be asked where they have safety critical systems, or where a real-time operating system would need to be deployed. When such systems are identified, they should be investigated to see if they are running QNX and the risk assessed. Some devices might have an ‘about page’ or software ‘information pages’ that detail the underlying real time operating system. Other devices might require reviewing the product specification sheet or a discussion with the vendor.
Whether exploitation is possible depends on the presence of an external connection, and whether compensating controls otherwise protect the device. Impact is implementation specific. The ACSC recommends users take defensive measures such as those detailed in the Protecting Industrial Control Systems publication to minimize the risk of exploitation. Specifically, users should: