BlackBerry publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerability—CVE-2021-22156, with a CVSS score of 9. BadAlloc is a collection of 25 vulnerabilities affecting multiple RTOSs and supporting libraries of critical infrastructure organizations and other organizations developing, maintaining, supporting, or using affected QNX-based systems.

A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices. BlackBerry QNX RTOS is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly sensitive systems, possibly leading to increased risk of damage to infrastructure or critical functions. 

BleepingComputer reports BlackBerry QNX’s tech is used worldwide by more than 195 million vehicles and embedded systems across a wide range of sectors, including aerospace and defense, heavy machinery, rail, robotics, industrial controls, automotive, commercial vehicles and medical.

At this time, there is no record of active exploitation of this vulnerability, according to the Cybersecurity and Infrastructure Security Agency (CISA). “CISA strongly encourages critical infrastructure organizations and other organizations developing, maintaining, supporting, or using affected QNX-based systems to patch affected products as quickly as possible,” CISA says.

Microsoft’s Section 52, the Azure Defender for IoT security research group, discovered the vulnerability in April and shared it with vendors and federal agencies. According to POLITICO, other companies affected by the same vulnerability worked with CISA to publicly reveal the flaws and urge users to patch their devices.

POLITICO reports, “Privately, BlackBerry representatives told CISA earlier this year that they didn’t believe BadAlloc had impacted their products, even though CISA had concluded that it did, according to the two people, both of whom spoke anonymously because they were not authorized to discuss the matter publicly. Over the last few months, CISA pushed BlackBerry to accept the bad news, eventually getting them to acknowledge the vulnerability existed. Then BlackBerry said it didn’t intend to go public to deal with the problem. The company told CISA it planned to reach out privately to its direct customers and warn them about the QNX issue.”

In a statement to POLITICO, BlackBerry said it maintains “lists of our customers and have actively communicated to those customers regarding this issue.”

“Software patching communications occur directly to our customers,” the company said. “However, we will make adjustments to this process in order to best serve our customers.”

Setu Kulkarni, Vice President, Strategy at NTT Application Security, a San Jose, Calif.-based provider of application security, says, “This does spur a new debate. Is there any circumstance where keeping such widespread vulnerabilities under wraps is beneficial? After all, unlike physical adversarial threats, cyber threats cannot be seen or contained by borders or treaties. In this case, the earlier the disclosure is, the earlier preventative measures can be rolled out.”

Kulkarni adds, “Yes, disclosures may be perceived as painting a target on devices that use QNX – but assuming that cybercriminals wait for disclosures in this day and age is naïve. With the Presidential EO on supply-chain risk mitigation, there is a heightened impetus on information sharing – and that should be the go-forward approach on most if not all disclosures, especially when there is no comprehensive way to privately reach out to thousands of manufacturers who have 100s of millions of systems using their components. The fact that BlackBerry eventually decided to pivot to public disclosure from their initial approach of privately disclosing this to their customers suggests that BlackBerry determined that it could not fully estimate the extent of the proliferation of their QNX system. In addition, given that the BadAlloc disclosures were already public, an earlier disclosure could have accelerated preventative steps to prevent exploits on and through QNX based systems.”

AJ King, Chief Information Security Officer at BreachQuest, an Augusta, Ga.-based leader in incident response, explains, “It is always worse to be forced into disclosure than to take early, proactive measures to show your consumers that you’re doing everything in your power to keep their data (and in this case their physical security) safe. Instead of being just another company on the list of companies that were impacted by this vulnerability, they now have a story dedicated solely to their intentional decision to minimize impact.”