[](<https://thehackernews.com/new-images/img/a/AVvXsEhkdvd37Jo2VtPGQTzQeOmwqW53ler0-cE4ym0kqeXyqqMyG4YdJ3qvXP0rsCBA4qwylM66MNwd77vwO0TZvXHUrgVATLnSJbfWxkvGx29m5Ix-wwqBih3QRmNAIsIda0gfVfcYKAmksOMq1JyiQWEP8QxbEex_Q0myqukD-nXu7SAH5OoZmLyBccde>)
A major vulnerability affecting older versions of BlackBerry's QNX Real-Time Operating System (RTOS) could allow malicious actors to cripple and gain control of a variety of products, including cars, medical, and industrial equipment.
The shortcoming (CVE-2021-22156, CVSS score: 9.0) is part of a broader collection of flaws, collectively dubbed [BadAlloc](<https://thehackernews.com/2021/04/microsoft-finds-badalloc-flaws.html>), that was originally disclosed by Microsoft in April 2021, which could open a backdoor into many of these devices, allowing attackers to commandeer them or disrupt their operations.
"A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/17/badalloc-vulnerability-affecting-devices-incorporating-older>) in a Tuesday bulletin. As of writing, there is no evidence of active exploitation of the vulnerability.
BlackBerry QNX technology is [used](<https://blackberry.qnx.com/en/company/about-qnx>) worldwide by over 195 million vehicles and embedded systems across a wide range of industries, including aerospace and defense, automotive, commercial vehicles, heavy machinery, industrial controls, medical, rail, and robotics.
BlackBerry, in an independent advisory, characterized the issue as "an integer overflow vulnerability in the calloc() function of the C runtime library" affecting its QNX Software Development Platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1. Manufacturers of IoT and OT devices that incorporate affected QNX-based systems are advised to apply the following patches -
* **QNX SDP 6.5.0 SP1** \- Apply patch ID 4844 or update to QNX SDP 6.6.0 or later
* **QNX OS for Safety 1.0 or 1.0.1** \- Update to QNX OS for Safety 1.0.2, and
* **QNX OS for Medical 1.0 or 1.1** \- Apply patch ID 4846 to update to QNX OS for Medical 1.1.1
"Ensure that only ports and protocols used by the application using the RTOS are accessible, blocking all others," BlackBerry [suggested](<https://support.blackberry.com/kb/articleDetail?articleNumber=000082334>) as mitigations. "Follow network segmentation, vulnerability scanning, and intrusion detection best practices appropriate for use of the QNX product in your cybersecurity environment to prevent malicious or unauthorized access to vulnerable devices."
In a separate report, Politico [revealed](<https://www.politico.com/news/2021/08/17/blackberry-qnx-vulnerability-hackers-505649>) that BlackBerry resisted efforts to [publicly announce](<https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04>) the BadAlloc vulnerability in late April, citing people familiar with the matter, instead opting to privately contact its customers and warn them about the issue — an approach that could have put several device manufacturers at risk — only to backtrack after the company couldn't identify all of the vendors using its software.
"BlackBerry representatives told CISA earlier this year that they didn't believe BadAlloc had impacted their products, even though CISA had concluded that it did," the report said, adding "over the last few months, CISA pushed BlackBerry to accept the bad news, eventually getting them to acknowledge the vulnerability existed."
Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.
{"id": "THN:929CD7467244052DCACDE1E0A803C039", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "BadAlloc Flaw Affects BlackBerry QNX Used in Millions of Cars and Medical Devices", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhkdvd37Jo2VtPGQTzQeOmwqW53ler0-cE4ym0kqeXyqqMyG4YdJ3qvXP0rsCBA4qwylM66MNwd77vwO0TZvXHUrgVATLnSJbfWxkvGx29m5Ix-wwqBih3QRmNAIsIda0gfVfcYKAmksOMq1JyiQWEP8QxbEex_Q0myqukD-nXu7SAH5OoZmLyBccde>)\n\nA major vulnerability affecting older versions of BlackBerry's QNX Real-Time Operating System (RTOS) could allow malicious actors to cripple and gain control of a variety of products, including cars, medical, and industrial equipment.\n\nThe shortcoming (CVE-2021-22156, CVSS score: 9.0) is part of a broader collection of flaws, collectively dubbed [BadAlloc](<https://thehackernews.com/2021/04/microsoft-finds-badalloc-flaws.html>), that was originally disclosed by Microsoft in April 2021, which could open a backdoor into many of these devices, allowing attackers to commandeer them or disrupt their operations.\n\n\"A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/17/badalloc-vulnerability-affecting-devices-incorporating-older>) in a Tuesday bulletin. As of writing, there is no evidence of active exploitation of the vulnerability.\n\nBlackBerry QNX technology is [used](<https://blackberry.qnx.com/en/company/about-qnx>) worldwide by over 195 million vehicles and embedded systems across a wide range of industries, including aerospace and defense, automotive, commercial vehicles, heavy machinery, industrial controls, medical, rail, and robotics.\n\nBlackBerry, in an independent advisory, characterized the issue as \"an integer overflow vulnerability in the calloc() function of the C runtime library\" affecting its QNX Software Development Platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1. Manufacturers of IoT and OT devices that incorporate affected QNX-based systems are advised to apply the following patches -\n\n * **QNX SDP 6.5.0 SP1** \\- Apply patch ID 4844 or update to QNX SDP 6.6.0 or later\n * **QNX OS for Safety 1.0 or 1.0.1** \\- Update to QNX OS for Safety 1.0.2, and\n * **QNX OS for Medical 1.0 or 1.1** \\- Apply patch ID 4846 to update to QNX OS for Medical 1.1.1\n\n\"Ensure that only ports and protocols used by the application using the RTOS are accessible, blocking all others,\" BlackBerry [suggested](<https://support.blackberry.com/kb/articleDetail?articleNumber=000082334>) as mitigations. \"Follow network segmentation, vulnerability scanning, and intrusion detection best practices appropriate for use of the QNX product in your cybersecurity environment to prevent malicious or unauthorized access to vulnerable devices.\"\n\nIn a separate report, Politico [revealed](<https://www.politico.com/news/2021/08/17/blackberry-qnx-vulnerability-hackers-505649>) that BlackBerry resisted efforts to [publicly announce](<https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04>) the BadAlloc vulnerability in late April, citing people familiar with the matter, instead opting to privately contact its customers and warn them about the issue \u2014 an approach that could have put several device manufacturers at risk \u2014 only to backtrack after the company couldn't identify all of the vendors using its software.\n\n\"BlackBerry representatives told CISA earlier this year that they didn't believe BadAlloc had impacted their products, even though CISA had concluded that it did,\" the report said, adding \"over the last few months, CISA pushed BlackBerry to accept the bad news, eventually getting them to acknowledge the vulnerability existed.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-08-18T15:05:00", "modified": "2021-08-20T15:22:17", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.8}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://thehackernews.com/2021/08/badalloc-flaw-affects-blackberry-qnx.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2021-22156"], "immutableFields": [], "lastseen": "2022-05-09T12:39:13", "viewCount": 35, "enchantments": {"dependencies": {"references": [{"type": "cisco", "idList": ["CISCO-SA-QNX-TOXJVPDL"]}, {"type": "cve", "idList": ["CVE-2021-22156"]}, {"type": "ics", "idList": ["ICSA-21-119-04"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:51D086FD815946746B880700C555ECEF"]}, {"type": "threatpost", "idList": ["THREATPOST:40D5B4513D68FF31439BBB3BADEE5B24", "THREATPOST:C8634F1B5CFC8DD331BF849C669F1AFB"]}], "rev": 4}, "score": {"value": 1.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "cisco", "idList": ["CISCO-SA-QNX-TOXJVPDL"]}, {"type": "cve", "idList": ["CVE-2021-22156"]}, {"type": "ics", "idList": ["ICSA-21-119-04"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:51D086FD815946746B880700C555ECEF"]}, {"type": "threatpost", "idList": ["THREATPOST:40D5B4513D68FF31439BBB3BADEE5B24", "THREATPOST:C8634F1B5CFC8DD331BF849C669F1AFB"]}]}, "exploitation": null, "vulnersScore": 1.3}, "_state": {"dependencies": 1659911869, "score": 1659847081}, "_internal": {"score_hash": "86516e18ddbe595c7d3b63d717454159"}}
{"cisco": [{"lastseen": "2022-12-22T12:14:24", "description": "On August 17, 2021, BlackBerry released a security advisory, QNX-2021-001 [\"https://support.blackberry.com/kb/articleDetail?articleNumber=000082334\"], that disclosed an integer overflow vulnerability in the following BlackBerry software releases:\n\nQNX Software Development Platform (SDP) \u2013 6.5.0SP1 and earlier\nQNX OS for Medical \u2013 1.1 and earlier\nQNX OS for Safety \u2013 1.0.1 and earlier\n\nA successful exploit could allow an attacker to execute arbitrary code or cause a denial of service (DoS).\n\nFor a description of this vulnerability, see QNX-2021-001 [\"https://support.blackberry.com/kb/articleDetail?articleNumber=000082334\"].\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qnx-TOxjVPdL [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qnx-TOxjVPdL\"]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-18T16:00:00", "type": "cisco", "title": "BlackBerry QNX-2021-001 Vulnerability Affecting Cisco Products: August 2021", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22156"], "modified": "2021-08-25T14:44:04", "id": "CISCO-SA-QNX-TOXJVPDL", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qnx-TOxjVPdL", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2021-08-31T10:36:01", "description": "Following an [announcement by Blackberry](<https://support.blackberry.com/kb/articleDetail?articleNumber=000082334>) the U.S. Food & Drug Administration (FDA) and the Cybersecurity & Infrastructure Security Agency (CISA) have put out alerts that vulnerabilities found in the Blackberry QNX real-time operating system (RTOS) may introduce risks for certain medical devices.\n\nManufacturers are assessing which devices may be affected by the BlackBerry QNX cybersecurity vulnerabilities and are evaluating the risk and developing mitigations, including deploying patches from BlackBerry.\n\n### FDA and CISA warnings\n\nThe FDA, in its [warning](<https://content.govdelivery.com/accounts/USFDA/bulletins/2ecf9d4>) that certain medical devices may be affected by BlackBerry QNX cybersecurity vulnerabilities, points to the [CISA alert](<https://us-cert.cisa.gov/ncas/alerts/aa21-229a>). CISA mentions [CVE-2021-22156](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-22156>) which describes an integer overflow vulnerability in the calloc() function of the C runtime library of affected versions of BlackBerry\u00ae QNX Software Development Platform (SDP) version(s) 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier that could allow an attacker to potentially perform a denial of service or execute arbitrary code.\n\nBalckberry's QNX is an RTOS. RTOS is a term to describe an operating system (OS) intended to serve real-time applications that process data as it comes in. Typically this type of software is deployed in devices that require immediate interaction based on incoming information. The best example in this case may be the driver assistance options that many car manufacturers provide nowadays.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). CISA mentions CVE-2021-22156 is part of a collection of integer overflow vulnerabilities, known as BadAlloc.\n\n### What is BadAlloc?\n\nIn April of 2021 the Azure Defender for IoT security research group uncovered a series of critical memory allocation vulnerabilities in IoT and OT devices that adversaries could exploit to bypass security controls in order to execute malicious code or cause a system crash.\n\nThese Remote Code Execution (RCE) vulnerabilities were dubbed BadAlloc and they were found to affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology (OT), and industrial control systems. Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds.\n\nWe [blogged about BadAlloc](<https://blog.malwarebytes.com/reports/2021/04/iot-riddled-with-badalloc-vulnerabilities/>) back in April if you are interested in more details.\n\n### Blackberry\n\nIf you are in my age group, you may remember Blackberry as a producer of smartphones that went the same way as VHS tapes and vinyl records. Appreciated by a few but hardly a serious competitor for the big guns.\n\nNowadays Blackberry produces software that is widely used\u2014for example, in two hundred million cars, along with critical hospital and factory equipment. Automakers use BlackBerry\u00ae QNX\u00ae software in their advanced driver assistance, digital instrument clusters, connectivity modules, handsfree, and infotainment systems that appear in multiple car brands, including Audi, BMW, Ford, GM, Honda, Hyundai, Jaguar, Land Rover, KIA, Maserati, Mercedes-Benz, Porsche, Toyota, and Volkswagen.\n\n### Keep it under the hood\n\nBack when BadAlloc was made public, Blackberry kept quiet. But now BlackBerry announced that old but still widely used versions of one of its flagship products, an operating system called QNX, contain a vulnerability that could let hackers cripple devices that use it.\n\nInsiders have [accused](<https://www.politico.com/news/2021/08/17/blackberry-qnx-vulnerability-hackers-505649>) Blackberry of purposefully keeping this information to themselves at first. Blackberry initially even denied that BadAlloc impacted its products at all and later resisted making a public announcement, even though it couldn\u2019t identify and inform all of the customers using the software.\n\n### Mitigation\n\nCISA strongly encourages critical infrastructure organizations and other organizations developing, maintaining, supporting, or using affected QNX-based systems to patch affected products as quickly as possible.\n\n * Manufacturers of products that incorporate vulnerable versions should contact BlackBerry to obtain the patch.\n * Manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code. Note: in some cases, manufacturers may need to develop and test their own software patches.\n * End users of safety-critical systems should contact the manufacturer of their product to obtain a patch. If a patch is available, users should apply the patch as soon as possible. If a patch is not available, users should apply the manufacturer's recommended mitigation measures until the patch can be applied. Note: installation of software updates for RTOS frequently may require taking the device out of service or to an off-site location for physical replacement of integrated memory.\n\nA full list of affected QNX products and versions are available [at the QNX website](<https://www.qnx.com/support/knowledgebase.html?id=5015Y000001SX2z>).\n\nUnlike computers, Internet-connected devices can be difficult, or even impossible to update. When these devices require internet access for their operation this poses a big security risk. All you can try to do is reduce the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet; implementing network security monitoring to detect behavioral indicators of compromise; and strengthening network segmentation to protect critical assets.\n\nStay safe, everyone!\n\nThe post [Cars and hospital equipment running Blackberry QNX may be affected by BadAlloc vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/cars-and-hospital-equipment-running-blackberry-qnx-may-be-affected-by-badalloc-vulnerability/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-08-18T17:33:57", "type": "malwarebytes", "title": "Cars and hospital equipment running Blackberry QNX may be affected by BadAlloc vulnerability", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-22156"], "modified": "2021-08-18T17:33:57", "id": "MALWAREBYTES:51D086FD815946746B880700C555ECEF", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/cars-and-hospital-equipment-running-blackberry-qnx-may-be-affected-by-badalloc-vulnerability/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-08-18T20:52:05", "description": "The potential danger from a raft of memory-allocation bugs discovered by Microsoft in April has now spread to older versions of multiple BlackBerry QNX products.\n\nThe Cybersecurity Infrastructure and Security Agency (CISA) and BlackBerry warned in separate alerts Tuesday that threat actors can take over or launch denial of service attacks on devices and critical infrastructure by exploiting what are called BadAlloc bugs tied to BlackBerry\u2019s QNX operating system (OS).\n\nQNX is a real-time OS, used in embedded systems such as automobiles, medical devices and handsets. BlackBerry acquired the OS in 2010 when it bought Quantum Software Systems. Industries and devices using the affected QNX OS include aerospace and defense, heavy machinery, rail, robotics, industrial controls and medical devices. BlackBerry boasted [in 2019](<https://www.blackberry.com/us/en/company/newsroom/press-releases/2019/blackberry-qnx-software-now-embedded-in-more-than-150-million-vehicles>) QNX is embedded in the infotainment systems of 150 million vehicles ranging from Audi, Ford, Kia and Volkswagen.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nBadAlloc, tracked as [CVE-2021-22156](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-22156>), is the name Microsoft\u2019s Section 52 research group [gave](<https://msrc-blog.microsoft.com/2021/04/29/badalloc-memory-allocation-vulnerabilities-could-affect-wide-range-of-iot-and-ot-devices-in-industrial-medical-and-enterprise-networks/>) to 25 critical memory-allocation vulnerabilities [discovered in April](<https://threatpost.com/microsoft-warns-25-critical-iot-industrial-devices/165752/>) that at the time were believed to affect myriad vendors\u2019 IoT and industrial devices.\n\n\u201cBlackBerry QNX RTOS is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the nation\u2019s critical functions,\u201d according to the [CISA\u2019s advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-229a>).\n\nCISA warned that all BlackBerry programs with dependency on the C runtime library are affected by the vulnerability. \u201cBecause many affected devices include safety-critical devices, exploitation of this vulnerability could result in a malicious actor gaining control of sensitive systems, possibly leading to increased risk of damage to infrastructure or critical functions,\u201d the agency said.\n\nBlackBerry put out a [security advisory](<https://support.blackberry.com/kb/articleDetail?articleNumber=000082334>) of its own on a BadAlloc-related integer overflow vulnerability in the _calloc()_ function of the C runtime library in specific versions of the BlackBerry QNX. The company said the flaw affects the BlackBerry QNX Software Development Platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier.\n\nSo far there is no evidence of active exploitation of BadAlloc on BlackBerry QXN devices, both the company and the CISA added.\n\n## **Improper Input Validation**\n\nMemory allocation is exactly what it sounds like\u2013the basic set of instructions device makers give a device for how to allocate memory. BadAlloc vulnerabilities stem from a systemic issue in which memory-allocation implementations written throughout the years as part of devices and embedded software did not incorporate proper input validation, according to Microsoft. Without these validations, attackers can exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device.\n\nBadAlloc bugs are attributed specifically to the usage of vulnerable memory functions that exist across devices, such as _malloc, calloc, realloc, memalign, valloc, pvalloc_ and more. What makes them so pervasive is that they can exist in various aspects of devices, including RTOS, embedded SDKs, and C standard libraries.\n\nCISA and Blackberry strongly urged in separate documentation that all organizations whose devices use affected QNX-based systems immediately update to the latest version of the technology and apply mitigations.\n\nBlackBerry [warned](<https://support.blackberry.com/kb/articleDetail?articleNumber=000082334>) that there are no known workarounds for the vulnerability on BlackBerry QNX SDP version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1. However, to avoid exploitation, system administrators can ensure that only ports and protocols used by the application using the RTOS are accessible by blocking all others, the company said.\n\nBlackBerry also advised that administrators follow network segmentation, vulnerability scanning, and intrusion detection best practices appropriate for use of the QNX product in their cybersecurity environment \u201cto prevent malicious or unauthorized access to vulnerable devices.\u201d\n\nCISA also [strongly encouraged](<https://us-cert.cisa.gov/ncas/alerts/aa21-229a>) that critical infrastructure organizations and other organizations developing, maintaining, supporting, or using affected QNX-based systems contact BlackBerry to obtain patches for their products.\n", "cvss3": {}, "published": "2021-08-18T14:30:51", "type": "threatpost", "title": "Memory Bugs in BlackBerry's QNX Embedded OS Open Devices to Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22156"], "modified": "2021-08-18T14:30:51", "id": "THREATPOST:40D5B4513D68FF31439BBB3BADEE5B24", "href": "https://threatpost.com/blackberrys-qnx-devices-attacks/168772/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-08-21T09:44:44", "description": "A critical security vulnerability in Cisco Small Business Routers (RV110W, RV130, RV130W and RV215W models) allows remote code execution (RCE) and denial of service (DoS). The networking giant said that no patch or workaround will be coming for the bug, since the routers reached end-of-life back in 2019.\n\nThe bug ([CVE-2021-34730](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-sb-rv-overflow-htpymMB5>)) is one of six addressed by Cisco this week; it also issued an advisory for the critical BlackBerry QNX-2021-001 vulnerability unveiled earlier this week (CVE-2021-22156), which affects multiple vendors, well beyond Cisco.\n\n## **Patch Denied: Critical RCE for EoL Gear**\n\nThe critical router issue, which carries a base CVSS score of 9.8 out of 10, affects the hardware\u2019s Universal Plug-and-Play (UPnP) service, Cisco said. It could allow an unauthenticated attacker to achieve RCE or cause an affected device to restart unexpectedly.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\n\u201cThis vulnerability is due to improper validation of incoming UPnP traffic,\u201d according to the advisory. \u201cAn attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition.\u201d\n\nThe issue affects a range of Cisco Wireless-N and Wireless-AC VPN routers, which [reached end-of-life](<https://www.cisco.com/c/en/us/products/collateral/routers/small-business-rv-series-routers/eos-eol-notice-c51-742771.html>) in September of 2019. Cisco stopped issuing bug fixes on Dec. 1 of last year. Affected companies should look to update their hardware to avoid compromise.\n\nThe other critical flaw addressed in the updates has to do with the BlackBerry QNX-2021-001 bug [disclosed this week](<https://threatpost.com/blackberrys-qnx-devices-attacks/168772/>), which allows threat actors to take over or launch DoS attacks on devices and critical infrastructure. Essentially, the known group of BadAlloc bugs tied to BlackBerry\u2019s embedded QNX operating system (OS) now affects older devices.\n\nCisco\u2019s advisory simply states, \u201cCisco is investigating its product line to determine which products and services may be affected by this vulnerability.\u201d So far, no products have been listed.\n\n## **Medium-Severity Security Bugs in Cisco Gear**\n\nThe remaining five patches are all rated medium in severity, and affect products from across Cisco\u2019s portfolio. These bugs are:\n\n * [CVE-2021-34749](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sni-data-exfil-mFgzXqLN>): Server Name Identification (SNI) Data-Exfiltration Vulnerability (Cisco Web Security Appliance (WSA), Cisco Firepower Threat Defense (FTD), Snort Detection Engine)\n * [CVE-2021-1561](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-spam-jPxUXMk>): Spam Quarantine Unauthorized-Access Vulnerability (Cisco Secure Email and Web Manager)\n * [CVE-2021-34734](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipcamera-lldp-dos-OFP7j9j>): Double-Free Denial-of-Service Vulnerability (Cisco Video Surveillance 7000 Series IP Cameras Link Layer Discovery Protocol)\n * [CVE-2021-34715](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewver-c6WZPXRx>): Image-Verification Vulnerability (Cisco Expressway Series and TelePresence Video Communication Server)\n * [CVE-2021-34716](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewrce-QPynNCjh>): RCE Vulnerability (Cisco Expressway Series and TelePresence Video Communication Server)\n\nThe first bug could allow an unauthenticated, remote attacker to bypass filtering technology on an affected device to execute a command-and-control attack on a compromised host and perform and exfiltrate data from a compromised host. The advisory is an interim one, and Cisco said it was still investigating which product versions are affected.\n\n\u201cThis vulnerability is due to inadequate filtering of the SSL handshake,\u201d according to the advisory. \u201cAn attacker could exploit this vulnerability by using data from the SSL client hello packet to communicate with an external server.\u201d\n\nThe spam-quarantine-related vulnerability affects Cisco Secure Email and Web Manager releases earlier than Release 14.1. It could allow an authenticated, remote attacker to gain unauthorized access and modify the spam quarantine settings of another user, so that malicious messages could get through or attackers could read messages.\n\n\u201cThis vulnerability exists because access to the spam quarantine feature is not properly restricted,\u201d according to the advisory. \u201cAn attacker could exploit this vulnerability by sending malicious requests to an affected system.\u201d\n\nThe third bug exists in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Video Surveillance 7000 Series IP Cameras with firmware release 2.12.4. Exploitation could allow an unauthenticated, adjacent attacker to cause a DoS condition.\n\n\u201cThis vulnerability is due to improper management of memory resources, referred to as a double free,\u201d according to Cisco. \u201cAn attacker could exploit this vulnerability by sending crafted LLDP packets to an affected device.\u201d\n\nThe last two vulnerabilities exist in the Expressway and TelePresence products and can be exploited by authenticated, remote attackers to execute code.\n\nThe first of these allows RCE with internal user privileges on the underlying operating system; it affects users running a release earlier than the first fixed release (the bug was introduced when support for validation of SHA512 checksums was introduced in Release X8.8).\n\nThe second allows RCE on the underlying operating system as the root user. It affects releases earlier than the first fixed release if users are running Release X8.6 or later.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-08-19T20:34:42", "type": "threatpost", "title": "Critical Cisco RCE Bug in Small Business Routers to Remain Unpatched", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1561", "CVE-2021-22156", "CVE-2021-34715", "CVE-2021-34716", "CVE-2021-34730", "CVE-2021-34734", "CVE-2021-34749"], "modified": "2021-08-19T20:34:42", "id": "THREATPOST:C8634F1B5CFC8DD331BF849C669F1AFB", "href": "https://threatpost.com/critical-cisco-bug-routers-unpatched/168831/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T14:00:18", "description": "An integer overflow vulnerability in the calloc() function of the C runtime library of affected versions of BlackBerry\u00ae QNX Software Development Platform (SDP) version(s) 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier that could allow an attacker to potentially perform a denial of service or execute arbitrary code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-17T19:15:00", "type": "cve", "title": "CVE-2021-22156", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22156"], "modified": "2021-08-30T11:26:00", "cpe": ["cpe:/a:blackberry:qnx_software_development_platform:6.5.0", "cpe:/o:blackberry:qnx_os_for_safety:1.0.2", "cpe:/o:blackberry:qnx_os_for_medical:1.1.1"], "id": "CVE-2021-22156", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22156", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:blackberry:qnx_software_development_platform:6.5.0:sp1:*:*:*:*:*:*", "cpe:2.3:a:blackberry:qnx_software_development_platform:6.5.0:-:*:*:*:*:*:*", "cpe:2.3:o:blackberry:qnx_os_for_safety:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:blackberry:qnx_os_for_medical:1.1.1:*:*:*:*:*:*:*"]}], "ics": [{"lastseen": "2022-10-26T00:12:54", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.8**\n * **ATTENTION: **Exploitable remotely/low attack complexity\n * **Vendors:** Multiple\n * **Equipment: **Multiple\n * **Vulnerabilities:** Integer Overflow or Wraparound\n\nCISA is aware of a public report, known as \u201cBadAlloc\u201d that details vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries. CISA is issuing this advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.\n\nThe various open-source products may be implemented in forked repositories. \n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the advisory update titled ICSA-21-119-04 Multiple RTOS (Update D) that was published November 30, 2021, to the ICS webpage on www.cisa.gov/uscert.\n\n## 3\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could result in unexpected behavior such as a crash or a remote code injection/execution. \n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\n * Amazon FreeRTOS, Version 10.4.1\n * Apache Nuttx OS, Version 9.1.0 \n * ARM CMSIS-RTOS2, versions prior to 2.1.3\n * ARM Mbed OS, Version 6.3.0\n * ARM mbed-ualloc, Version 1.3.0\n * BlackBerry QNX SDP Versions 6.5.0 SP1 and earlier\n * BlackBerry QNX OS for Safety Versions 1.0.1 and earlier safety products compliant with IEC 61508 and/or ISO 26262\n * BlackBerry QNX OS for Medical Versions 1.1 and earlier safety products compliant with IEC 62304 \n * A full list of affected QNX products and versions is [available here](<https://www.qnx.com/support/knowledgebase.html?id=5015Y000001SX2z>)\n * Cesanta Software Mongoose OS, v2.17.0\n * eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3\n * Google Cloud IoT Device SDK, Version 1.0.2\n * Media Tek LinkIt SDK, versions prior to 4.6.1\n * Micrium OS, Versions 5.10.1 and prior\n * Micrium uC/OS: uC/LIB Versions 1.38.xx, Version 1.39.00\n * NXP MCUXpresso SDK, versions prior to 2.8.2\n * NXP MQX, Versions 5.1 and prior\n * Redhat newlib, versions prior to 4.0.0\n * RIOT OS, Version 2020.01.1 \n * Samsung Tizen RT RTOS, versions prior 3.0.GBB\n * TencentOS-tiny, Version 3.1.0\n * Texas Instruments CC32XX, versions prior to 4.40.00.07\n * Texas Instruments SimpleLink MSP432E4XX\n * Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00\n * Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00\n * Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03\n * Uclibc-NG, versions prior to 1.0.36 \n * Windriver VxWorks, prior to 7.0\n * Zephyr Project RTOS, versions prior to 2.5\n\n### 4.2 VULNERABILITY OVERVIEW\n\n#### 4.2.1 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nMedia Tek LinkIt SDK versions prior to 4.6.1 is vulnerable to integer overflow in memory allocation calls pvPortCalloc(calloc) and pvPortRealloc(realloc), which can lead to memory corruption on the target device. \n\n[CVE-2021-30636](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30636>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>)).\n\n#### 4.2.2 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nARM CMSIS RTOS2 versions prior to 2.1.3 are vulnerable to integer wrap-around inosRtxMemoryAlloc (local malloc equivalent) function, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or injected code execution.\n\n[CVE-2021-27431](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27431>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>)).\n\n#### 4.2.3 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nARM mbed-ualloc memory library Version 1.3.0 is vulnerable to integer wrap-around in function mbed_krbs, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.\n\n[CVE-2021-27433](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27433>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>)).\n\n#### 4.2.4 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nARM mbed product Version 6.3.0 is vulnerable to integer wrap-around in malloc_wrapper function, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. \n\n[CVE-2021-27435](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27435>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>)).\n\n#### 4.2.5 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nRIOT OS Versions 2020.01.1 is vulnerable to integer wrap-around in its implementation of calloc function, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. \n\n[CVE-2021-27427](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27427>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>)).\n\n#### 4.2.6 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nSamsung Tizen RT RTOS version 3.0.GBB is vulnerable to integer wrap-around in functions_calloc and mm_zalloc. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash. \n\n[CVE-2021-22684](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22684>) has been assigned to this vulnerability. A CVSS v3 base score of 3.2 has been calculated; the CVSS vector string is ([AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L>)).\n\n#### 4.2.7 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nTencentOS-tiny Version 3.1.0 is vulnerable to integer wrap-around in function 'tos_mmheap_alloc incorrect calculation of effective memory allocation size. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. \n\n[CVE-2021-27439](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27439>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>)).\n\n#### 4.2.8 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nCesanta Software Mongoose-OS v2.17.0 is vulnerable to integer wrap-around in function mm_malloc. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. \n\n[CVE-2021-27425](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27425>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>)).\n\n#### 4.2.9 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nApache Nuttx OS Version 9.1.0 is vulnerable to integer wrap-around in functions malloc, realloc and memalign. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. \n\n[CVE-2021-26461](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26461>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>)).\n\n#### 4.2.10 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nWind River VxWorks several versions prior to 7.0 firmware are vulnerable to weaknesses found in the following functions; calloc(memLib), mmap/mmap64 (mmanLib), cacheDmaMalloc(cacheLib) and cacheArchDmaMalloc(cacheArchLib). This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. \n\n[CVE-2020-35198](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35198>) and [CVE-2020-28895](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28895>) have been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>)).\n\n#### 4.2.11 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nAmazon FreeRTOS Version 10.4.1 is vulnerable to integer wrap-around in multiple memory management API functions (MemMang, Queue, StreamBuffer). This unverified memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. \n\n[CVE-2021-31571](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31571>) and [CVE-2021-31572](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31572>) have been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>)).\n\n#### 4.2.12 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\neCosCentric eCosPro RTOS Versions 2.0.1 through 4.5.3 are vulnerable to integer wraparound in function calloc (an implementation of malloc). The unverified memory assignment can lead to arbitrary memory allocation, resulting in a heap-based buffer overflow.\n\n[CVE-2021-27417](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27417>) has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been calculated; the CVSS vector string is ([AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:H>)).\n\n#### 4.2.13 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nRedhat newlib versions prior to 4.0.0 are vulnerable to integer wrap-around in malloc and nano-malloc family routines (memalign, valloc, pvalloc, nano_memalign, nano_valloc, nano_pvalloc) due to insufficient checking in memory alignment logic. This insufficient checking can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.\n\n[CVE-2021-3420](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3420>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.14 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nNXP MCUXpresso SDK versions prior to 2.8.2 are vulnerable to integer overflow in SDK_Malloc function, which could allow to access memory locations outside the bounds of a specified array, leading to unexpected behavior such segmentation fault when assigning a particular block of memory from the heap via malloc. \n\n[CVE-2021-27421](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27421>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>)).\n\n#### 4.2.15 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nNXP MQX Versions 5.1 and prior are vulnerable to integer overflow in mem_alloc, _lwmem_alloc and _partition functions. This unverified memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. \n\n[CVE-2021-22680](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22680>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>)).\n\n#### 4.2.16 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nuClibc-ng versions prior to 1.0.37 are vulnerable to integer wrap-around in functions malloc-simple. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. \n\n[CVE-2021-27419](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27419>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>)).\n\n#### 4.2.17 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nTexas Instruments TI-RTOS returns a valid pointer to a small buffer on extremely large values. This can trigger an integer overflow vulnerability in 'HeapTrack_alloc' and result in code execution. \n\n[CVE-2021-27429](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27429>) has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is ([AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.18 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nTexas Instruments TI-RTOS returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in 'malloc' and result in code execution. \n\n[CVE-2021-22636](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22636>) has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is ([AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.19 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nTexas Instruments devices running FREERTOS, malloc returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in 'malloc' for FreeRTOS, resulting in code execution.\n\n[CVE-2021-27504](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27504>) has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is ([AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.20 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nTexas Instruments TI-RTOS, when configured to use HeapMem heap(default), malloc returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in 'HeapMem_allocUnprotected' and result in code execution. \n\n[CVE-2021-27502](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27502>) has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is ([AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.21 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nGoogle Cloud IoT Device SDK Version 1.0.2 is vulnerable to heap overflow due to integer overflow in its implementation of calloc, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or code execution. \n\nGoogle PSIRT will assign a CVE. CVSS score will be calculated when a CVE has been assigned. \n\n#### 4.2.22 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nMicrium OS Versions 5.10.1 and prior are vulnerable to integer wrap-around in functions Mem_DynPoolCreate, Mem_DynPoolCreateHW and Mem_PoolCreate. This unverified memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as very small blocks of memory being allocated instead of very large ones.\n\n[CVE-2021-27411](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27411>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H>)).\n\n#### 4.2.23 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nMicrium uC/OS: uC/LIB Versions 1.38.xx, 1.39.00 are vulnerable to integer wrap-around in functions Mem_DynPoolCreate, Mem_DynPoolCreateHW and Mem_PoolCreate. This unverified memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as very small blocks of memory being allocated instead of very large ones.\n\n[CVE-2021-26706](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26706>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H>)).\n\n#### 4.2.24 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nZephyr Project RTOS versions prior to 2.5 are vulnerable to integer wrap-around sys_mem_pool_alloc function, which can lead to arbitrary memory allocation resulting in unexpected behavior such as a crash or code execution. \n\n[CVE-2020-13603](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13603>) has been assigned to this vulnerability. A CVSS v3 base score of 6.9 has been calculated; the CVSS vector string is ([AV:P/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H>)).\n\n#### 4.2.25 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nBlackBerry QNX SDP Versions 6.5.0 SP1 and earlier, QNX OS for Safety Versions 1.0.1 and earlier, QNX OS for Medical Versions 1.1, and [other products](<https://www.qnx.com/support/knowledgebase.html?id=5015Y000001SX2z>) are vulnerable to integer wrap-around in the calloc( ) C runtime function, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or injected code execution.\n\n[CVE-2021-22156](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22156>) has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H>)).\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Multiple\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION:** Multiple\n\n### 4.4 RESEARCHER\n\nDavid Atch, Omri Ben Bassat, and Tamir Ariel from Microsoft Section 52, and the Azure Defender for IoT research group reported these vulnerabilities to CISA.\n\n## 5\\. MITIGATIONS\n\n * Amazon FreeRTOS \u2013 [Update available](<https://github.com/FreeRTOS/FreeRTOS-Kernel/pull/224>)\n * Apache Nuttx OS Version 9.1.0 \u2013 [Update available](<https://github.com/apache/incubator-nuttx>)\n * ARM CMSIS-RTOS2 \u2013 Update in progress, expected in June\n * ARM Mbed OS \u2013 [Update available](<https://github.com/ARMmbed/mbed-os/pull/14408>)\n * ARM mbed-ualloc \u2013 no longer supported and no fix will be issued\n * Blackberry QNX 6.5.0SP1 \u2013 [Update available](<https://www.qnx.com/download/feature.html?programid=59649>). [See public advisory](<https://support.blackberry.com/kb/articleDetail?articleNumber=000082334>)\n * Blackberry QNX OS for Safety 1.0.2 \u2013 [Update available](<https://www.qnx.com/download/group.html?programid=27165>). [See public advisory](<https://support.blackberry.com/kb/articleDetail?articleNumber=000082334>)\n * Blackberry QNX OS for Medical 1.1.1 \u2013 [Update available](<https://www.qnx.com/download/group.html?programid=26463>). [See public advisory](<https://support.blackberry.com/kb/articleDetail?articleNumber=000082334>)\n * Cesanta Software mongooses \u2013 [Update available ](<https://github.com/cesanta/mongoose-os>)\n * eCosCentric eCosPro RTOS: Update to Versions 4.5.4 and newer \u2013 [Update available](<https://bugzilla.ecoscentric.com/show_bug.cgi?id=1002437>)\n * Google Cloud IoT Device SDK \u2013 [Update available](<https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/pull/119/files>)\n * Media Tek LinkIt SDK \u2013 MediaTek will provide the update to users. No fix for free version, as it is not intended for production use. \n * Micrium OS: Update to v5.10.2 or later \u2013 [Update available](<https://www.silabs.com/developers/micrium-os>)\n * Micrium uCOS: uC/LIB Versions 1.38.xx, 1.39.00: Update to v1.39.1 \u2013 [Update available](<https://github.com/weston-embedded/uC-LIB/releases/tag/v1.39.01>)\n * NXP MCUXpresso SDK \u2013 [Update to 2.9.0 or later ](<https://mcuxpresso.nxp.com/en/welcome>)\n * NXP MQX \u2013 update to 5.1 or newer\n * Redhat newlib \u2013 [Update available](<https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git>)\n * RIOT OS \u2013 [Update available](<https://github.com/RIOT-OS/RIOT>)\n * Samsung Tizen RT RTOS \u2013 [Update available](<https://github.com/Samsung/TizenRT>)\n * TencentOS-tiny \u2013 Update available\n * Texas Instruments CC32XX \u2013 Update to v4.40.00.07\n * Texas Instruments SimpleLink CC13X0 \u2013 [Update to v4.10.03](<https://www.ti.com/technologies/security/report-product-security-vulnerabilities.html>)\n * Texas Instruments SimpleLink CC13X2-CC26X2 \u2013 [Update to v4.40.00](<https://www.ti.com/technologies/security/report-product-security-vulnerabilities.html>)\n * Texas Instruments SimpleLink CC2640R2 \u2013 [Update to v4.40.00](<https://www.ti.com/technologies/security/report-product-security-vulnerabilities.html>)\n * Texas Instruments SimpleLink MSP432E4 \u2013 Confirmed. No update currently planned\n * uClibc-ng \u2013 [Update available](<https://downloads.uclibc-ng.org/releases/>)\n * Windriver VxWorks \u2013 Update in progress\n\n**\\--------- Begin Update E Part 1 of 1 ---------**\n\n * Windriver VxWorks \u2013 Update in progress \n * The following devices use Windriver VxWorks as their RTOS: \n * Hitachi Energy GMS600 \u2013 [See public advisory](<https://search.abb.com/library/Download.aspx?DocumentID=8DBD000072&LanguageCode=en&DocumentPartId=&Action=Launch>).\n * Hitachi Energy PWC600 \u2013 [See public advisory](<https://search.abb.com/library/Download.aspx?DocumentID=8DBD000073&LanguageCode=en&DocumentPartId=&Action=Launch>).\n * Hitachi Energy REB500 \u2013 [See public advisory](<https://search.abb.com/library/Download.aspx?DocumentID=8DBD000071&LanguageCode=en&DocumentPartId=&Action=Launch>).\n * Hitachi Energy Relion 670, 650 series and SAM600-IO \u2013 [See public advisory](<https://search.abb.com/library/Download.aspx?DocumentID=8DBD000070&LanguageCode=en&DocumentPartId=&Action=Launch>)\n * Hitachi Energy RTU500 series CMU \u2013 Updates available for some firmware versions \u2013 [See public advisory](<https://search.abb.com/library/Download.aspx?DocumentID=8DBD000065&LanguageCode=en&DocumentPartId=&Action=Launch>).\n * Hitachi Energy Modular Switchgear Monitoring System MSM \u2013 Protect your network \u2013 [See public advisory](<https://search.abb.com/library/Download.aspx?DocumentID=9AKK107992A5975&LanguageCode=en&DocumentPartId=&Action=Launch>).\n\n**\\--------- End Update E Part 1 of 1 ---------**\n\n * Zephyr Project: Update to [2.5 or later](<https://github.com/zephyrproject-rtos/zephyr>). Patches available for prior supported versions. See the Zephyr [security advisory](<https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-94vp-8gc2-rm45>) for more information.\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Apply available vendor updates.\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-19T00:00:00", "type": "ics", "title": "Multiple RTOS (Update E)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13603", "CVE-2020-28895", "CVE-2020-35198", "CVE-2021-22156", "CVE-2021-22636", "CVE-2021-22680", "CVE-2021-22684", "CVE-2021-26461", "CVE-2021-26706", "CVE-2021-27411", "CVE-2021-27417", "CVE-2021-27419", "CVE-2021-27421", "CVE-2021-27425", "CVE-2021-27427", "CVE-2021-27429", "CVE-2021-27431", "CVE-2021-27433", "CVE-2021-27435", "CVE-2021-27439", "CVE-2021-27502", "CVE-2021-27504", "CVE-2021-30636", "CVE-2021-31571", "CVE-2021-31572", "CVE-2021-3420"], "modified": "2022-04-19T00:00:00", "id": "ICSA-21-119-04", "href": "https://www.us-cert.gov/ics/advisories/icsa-21-119-04", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}