After US FDA alert, BlackBerry admits QNX also affected by critical 'BadAlloc' bug

BlackBerry has issued an alert for a serious vulnerability in its QNX real-time operating system (RTOS), used in hundreds of millions of endpoints including 195 million cars, and says older versions of the software are impacted.

While the flaw, named BadAlloc, was first reported by Microsoft's Azure Defender for IoT security researchers in April this year, BlackBerry did not issue an alert for the vulnerability until the United States Food and Drug Administration this week warned that the bug put drug manufacturing equipment at risk of cyber attacks.

"BlackBerry is aware of this matter and can confirm that it does not impact current or recent versions of the QNX RTOS, but rather versions dating from 2012 and earlier," the Canadian company said in a statement.

Multiple versions of QNX are affected, Blackberry said.

BadAlloc is a bug in C-language runtime library that dictates how RTOSes allocate memory.

It can be exploited to overflow integers or make them wrap around for denial-of-service attacks and remote code execution.

The bug potentially affects hundreds of millions of IoT devices and control systems from scores of vendors, and deploying updates for it could be complex, Microsoft said.

To effect an attack, threat actors need to have network access and be able to control the parameters for calloc() function calls, and access memory to control after an allocation has been made.

Patches are available from Blackberry for affected QNX versions, but there are no known workarounds for the vulnerability, which not yet been recorded as being exploited.