CISA Alert: BadAlloc Vulnerability Affecting BlackBerry QNX RTOS
What you need to know about BadAlloc:
It’s not new - the group of vulnerabilities dubbed BadAlloc were first discovered by Microsoft back in April 2021.
Why should you care about BadAlloc now? CISA issued an alert (AA21-229A) on August 17, 2021, stating that BlackBerry has publicly disclosed that its QNX Real-Time Operating System (RTOS) is affected by a BadAlloc vulnerability—CVE-2021-22156.
BadAlloc is a collection of vulnerabilities affecting multiple RTOS platforms and their supporting libraries. The vulnerabilities potentially affect device security in the following ways:
1. A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service attack or execute arbitrary code on affected devices.
2. BlackBerry QNX RTOS is used in a wide range of products (full list provided by the manufacturer here) whose compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the nation’s critical functions.
At this time, CISA is not aware of any active exploitation of this vulnerability.
Are devices on your network affected?
As of today there are no known devices directly impacted by the BadAlloc vulnerability.
There was a concern about GE Healthcare product components being affected by BadAlloc. However, GE has issued a statement on their security portal (dated August 18th, 2021) that these products are not impacted by this vulnerability.
Cynerio’s research team is working closely with device manufacturers to keep you posted on new patches and findings.
Please refer back to this blog post to get real-time updates on new discoveries and developments as they occur.