BlackBerry this week issued a critical security advisory for past versions of its QNX Real Time Operating System (RTOS), used in more than 175m cars, medical equipment, and industrial systems.
BlackBerry QNX Software Development Platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 are vulnerable to an integer overflow vulnerability in the
calloc() function of the C runtime library.
The flaw, identified as CVE-2021-22156 with a CVSS (severity) score of 9.0, is part of the far-reaching collection of programming blunders Microsoft dubbed BadAlloc and disclosed in late April, 2021.
BlackBerry, according to Politico, initially denied that its products contained one or more BadAlloc-class bugs, and subsequently resisted making a public announcement due to the difficulty of contacting all the manufacturers and other organizations affected.
The Register asked BlackBerry to explain the four-month disclosure delay and we’ve not heard back. We were, however, heartened to read BlackBerry’s assertion that it “takes its critical role in other companies’ embedded software supply chains with the utmost seriousness.”
“BlackBerry is aware of this matter and can confirm that it does not impact current or recent versions of the QNX RTOS, but rather versions dating from 2012 and earlier,” the company said in a statement, adding that all potentially affected customers have been notified.
On the bright side, the US Cybersecurity and Infrastructure Agency (CISA) said it isn’t aware of active exploitation of this particular vulnerability. At the same time, the agency acknowledged that an attacker with network access could exploit this flaw remotely if a vulnerable device is exposed to the internet.
“Exploitation of this vulnerability could lead to a denial-of-service condition or arbitrary code execution in affected devices,” CISA said in its alert.
The US cybersecurity agency observed that successful exploitation would require the attacker to have control over the parameters passed to
calloc(), a memory allocation function, and to have the ability to control the memory accessed after the allocation. That’s potentially achievable if, say, you’re feeding data into a server-side program from a client. The client could trick the server into allocating too-small a space for the incoming information, allowing the client to subsequently overwrite the server program’s data and hijack its operation.
For instance, a client program could tell an application it’s about to send over a huge amount of data, causing the app to attempt to allocate space to hold that information. The buggy runtime library suffers an integer overflow, spilling from a large number to a small number of bytes to allocate. The allocator then returns a pointer to that minuscule memory space and the application would then try to fill the buffer with too much data from the client, overwriting necessary data and structures and allowing the attacker to overwrite pointers and other values in memory.
Such bugs explain why Rust programming language, capable of memory-safety and type-safety, has become popular in recent years at companies like AWS, Google, and Microsoft. It’s worth saying that not only should the runtime library not overflow, applications should also not attempt wildly huge allocations as it’s probably a sign that something’s going wrong.
BlackBerry said it has made patches available and is working with government and industry groups, noting that none of its customers have reported any impact from the code flaws. ®