HC3 TLP White Alert: BadAlloc Vulnerability Affecting BlackBerry QNX RTOS - August 18, 2021

Executive Summary

BlackBerry identified the following products are affected by an integer overflow vulnerability (CVE-2021-22156) with CVSS Score 9.0: BlackBerry QNX Software Development Platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1.

BlackBerry states there “are no known workarounds for this vulnerability.” CISA recommends applying patches as soon as they are available from BlackBerry. BlackBerry provides mitigations and recommendations to “reduce the possibility of exploitation.”

Report

CISA - Alert (AA21-229A) BadAlloc Vulnerability Affecting BlackBerry QNX RTO
https://us-cert.cisa.gov/ncas/alerts/aa21-229a

Impact to HPH Sector

The Healthcare and Public Health Sector is affected by the CVE-2021-22156 vulnerability found in BlackBerry’s QNX OS Software. Exploitation of this vulnerability, “could lead to a denial-of-service condition or arbitrary code execution in affected devices.”

References

BlackBerry – QNX-2021-001 Vulnerability in the C Runtime Library Impacts BlackBerry QNX Software Development Platform (SDP), QNX OS for Medical, and QNX OS for Safety
https://support.blackberry.com/kb/articleDetail?articleNumber=000082334

BlackBerry – Update Available for 6.5.0SP1
https://www.qnx.com/download/feature.html?programid=59649

BlackBerry – Update Available for QNX OS for Safety 1.0.2
https://www.qnx.com/download/group.html?programid=27165

BlackBerry – Update Available for QNX OS for Medical 1.1.1
https://www.qnx.com/download/group.html?programid=26463

Contact Information

If you have any additional questions, please contact us at HC3@hhs.gov.