Back in April, Microsoft highlighted a collection of vulnerabilities called "BadAlloc" affecting Internet of Things (IoT) and Operational Technology (OT) devices. It stated that the memory vulnerabilities could be used to trigger remote code execution (RCE) across millions of devices in multiple sectors including healthcare, industrial, automotive, and enterprise. BlackBerry disclosed yesterday that many of its products are affected by a BadAlloc vulnerability and the Department of Homeland Security"s (DHS) Cybersecurity and Infrastructure Agency (CISA) has now issued an advisory on the matter too.
The CVE-2021-22156 BadAlloc vulnerability affects hardware running BlackBerry"s QNX Real Time Operating System (RTOS). You can find the complete list of products affected by this vulnerability on CISA"s advisory here, but it is important to know that it impacts medical devices, automotive platforms, and the Neutrino QNX Secure Kernel, among many others.
In a nutshell, the current vulnerability could allow a malicious actor with network access to attack an affected device that is exposed to the internet. A sophisticated attacker could gain control over the calloc() function to trigger an integer overflow, giving them access to other memory locations through which they could initiate RCE or denial-of-service conditions.
Given the criticality of the BlackBerry products affected by this issue, CISA has outlined mitigations that should immediately be applied by manufacturers and end users. The former are required to get in touch with BlackBerry on an urgent basis to obtain patches whereas the latter are requested to contact manufacturers for the provisioning of patches, which should be applied immediately when available. If the patch is not available yet, mitigations provided by the manufacturers should be implemented. CISA has also cautioned that in some cases, affected hardware may need to be disconnected from service and taken to an off-site location for "physical replacement of integrated memory". It is unknown if this vulnerability is being exploited currently.