BlackBerry QNX-2021-001 integer overflow vulnerability [CVE-2021-22156]

CVE number CVE-2021-22156

On August 17th 2021, BlackBerry released a security advisory, QNX-2021-001, that disclosed an integer overflow vulnerability in the following BlackBerry software releases:

  • QNX Software Development Platform (SDP) – 6.5.0SP1 and earlier
  • QNX OS for Medical – 1.1 and earlier
  • QNX OS for Safety – 1.0.1 and earlier

A successful exploit could allow an attacker to execute arbitrary code or cause a denial of service (DoS).

In order to exploit this vulnerability, an attacker must have control over the parameters to a calloc() function call and the ability to control what memory is accessed after the allocation.

To remotely exploit this vulnerability, an attacker would require network access and the devices would need to have a vulnerable service running and exposed.

Mitigation

Ensure that only ports and protocols used by the application using the RTOS are accessible, blocking all others.

Follow network segmentation, vulnerability scanning, and intrusion detection best practices appropriate for use of the QNX product in your cybersecurity environment to prevent malicious or unauthorized access to vulnerable devices.

For a description of this vulnerability, see QNX-2021-001.

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: