Tag Archive for: BlackBerry
BadAlloc Vulnerability Affecting BlackBerry QNX RTOS
On August 17, 2021, BlackBerry publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerability—CVE-2021-22156. BadAlloc is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries.[1] A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices.[2] BlackBerry QNX RTOS is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the Nation’s critical functions. Note: at this time, CISA is not aware of active exploitation of this vulnerability.
CISA strongly encourages critical infrastructure organizations and other organization developing, maintaining, supporting, or using affected QNX-based systems, to patch affected products as quickly as possible. Refer to the Mitigations section for more information about patching.
CVE-2021-22156 is an integer overflow vulnerability affecting the calloc() function in the C runtime library of multiple BlackBerry QNX products. Exploitation of this vulnerability could lead to a denial-of-service condition or arbitrary code execution in affected devices. To exploit this vulnerability, an attacker must have control over the parameters to a calloc() function call and the ability to control what memory is accessed after the allocation. An attacker with network access could remotely exploit this vulnerability if the vulnerable product is running and the affected device is exposed to the internet.[3]
CVE-2021-22156 is part of a collection of integer overflow vulnerabilities, known as BadAlloc, which affect a wide range of industries using Internet of Things (IoT), and operational technology (OT)/industrial control systems (ICS) devices. See CISA ICS Advisory ICSA-21-119-04 and Microsoft’s BadAlloc blog post for more information.
All BlackBerry programs with dependency on the C runtime library are affected by this vulnerability (see table 1 for a list of affected BlackBerry QNX products). Because many affected devices include safety-critical devices, exploitation of this vulnerability could result in a malicious actor gaining control of sensitive systems, possibly leading to increased risk of damage to infrastructure or critical functions.
| Product | Affected Version |
| QNX SDP | 6.5.0SP1, 6.5.0, 6.4.1, 6.4.0 |
| QNX Momentics Development Suite | 6.3.2 |
| QNX Momentics | 6.3.0SP3, 6.3.0SP2, 6.3.0SP1, 6.3.0, 6.2.1b, 6.2.1, 6.2.1A, 6.2.0 |
| QNX Realtime Platform | 6.1.0a, 6.1.0, 6.0.0a, 6.0.0 |
| QNX Cross Development Kit | 6.0.0, 6.1.0 |
| QNX Development Kit (Self-hosted) | 6.0.0, 6.1.0 |
| QNX Neutrino RTOS Safe Kernel | 1.0 |
| QNX Neutrino RTOS Certified Plus | 1.0 |
| QNX Neutrino RTOS for Medical Devices | 1.0, 1.1 |
| QNX OS for Automotive Safety | 1.0 |
| QNX OS for Safety | 1.0, 1.0.1 |
| QNX Neutrino Secure Kernel | 6.4.0, 6.5.0 |
| QNX CAR Development Platform | 2.0RR |
CISA strongly encourages critical infrastructure organizations and other organizations developing, maintaining, supporting, or using affected QNX-based systems to patch affected products as quickly as possible.
- Manufacturers of products that incorporate vulnerable versions should contact BlackBerry to obtain the patch.
- Manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code. Note: in some cases, manufacturers may need to develop and test their own software patches.
- End users of safety-critical systems should contact the manufacturer of their product to obtain a patch. If a patch is available, users should apply the patch as soon as possible. If a patch is not available, users should apply the manufacturer’s recommended mitigation measures until the patch can be applied.
- Note: installation of software updates for RTOS frequently may require taking the device out of service or to an off-site location for physical replacement of integrated memory.
Resources
BlackBerry resisted announcing major flaw in software powering cars, hospital equipment
The back-and-forth between BlackBerry and the government highlights a major difficulty in fending off cyberattacks on increasingly internet-connected devices ranging from robotic vacuum cleaners to wastewater-plant management systems. When companies such as BlackBerry sell their software to equipment manufacturers, they rarely provide detailed records of the code that goes into the software — leaving hardware makers, their customers and the government in the dark about where the biggest risks lie.
BlackBerry may be best known for making old-school smartphones beloved for their manual keyboards, but in recent years it has become a major supplier of software for industrial equipment, including QNX, which powers everything from factory machinery and medical devices to rail equipment and components on the International Space Station. BadAlloc could give hackers a backdoor into many of these devices, allowing bad actors to commandeer them or disrupt their operations.
Microsoft security researchers announced in April that they’d discovered the vulnerability and found it in a number of companies’ operating systems and software. In May, many of those companies worked with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to publicly reveal the flaws and urge users to patch their devices.
BlackBerry wasn’t among them.
Privately, BlackBerry representatives told CISA earlier this year that they didn’t believe BadAlloc had impacted their products, even though CISA had concluded that it did, according to the two people, both of whom spoke anonymously because they were not authorized to discuss the matter publicly. Over the last few months, CISA pushed BlackBerry to accept the bad news, eventually getting them to acknowledge the vulnerability existed.
Then BlackBerry said it didn’t intend to go public to deal with the problem. The company told CISA it planned to reach out privately to its direct customers and warn them about the QNX issue.
Technology companies sometimes prefer private vulnerability disclosures because doing so doesn’t tip off hackers that patching is underway — but also because it limits (or at least delays) any resulting…
BlackBerry Stock Rises As Earnings Meet Expectations As Security Revenue Disclosed
BlackBerry earnings for the May quarter fell from a year earlier but met expectations as revenue edged by Wall Street targets. BlackBerry stock rose on the news as it broke out computer security software revenue for the first time.
X
Canada-based BlackBerry (BB) reported a 5-cent loss on an adjusted basis for the quarter ending May 31. Revenue fell 16% to $174 million, including $107 million in cybersecurity sales and $43 million in “Internet of Things” sales, the company said. IoT revenue includes automotive software.
Analysts expected BlackBerry to report a 5-cent per-share loss on revenue of $171.3 million. In the year-earlier quarter, Blackberry stock earned 2 cents per share on revenue of $206 million.
BlackBerry stock rose 1.4% to 12.86 in extended trading on the stock market today. In Thursday’s regular session, shares fell 3.5%.
Blackberry Stock: Intellectual Property Sale Expected
Analysts expected lower intellectual property licensing revenue to impact the BlackBerry earnings report. The company is in talks to sell its intellectual property portfolio. BlackBerry garners about 30% of revenue from intellectual property fees.
Blackberry stock has gained some 92% in 2021, though shares retreated heading into the fiscal first-quarter earnings report. Investors using social media have driven BB stock and other so-called meme stocks higher, including AMC Entertainment (AMC), GameStop (GME) and Clover Health (CLOV).
Here’s an in-depth look at BB stock, using IBD technical and fundamental analysis.
A one-time leading maker of mobile devices, BlackBerry was a driving force in pagers and cellphones. But its hardware business collapsed in 2008 amid competition from Apple (AAPL) iPhones and Android devices.
BlackBerry pivoted to mobile security software under Chief Executive John Chen. Also, BlackBerry has been a provider of software in the automotive market for entertainment and mapping programs.
If you’re new to IBD, consider taking a look at its stock trading system and CAN SLIM basics. Recognizing chart patterns for companies like BlackBerry stock is one key to the investment guidelines.
IBD offers a broad range of growth stock lists, such as Leaderboard. Investors also…