On August 17, 2021, BlackBerry publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerability—CVE-2021-22156. BadAlloc is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries. A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices. Every water and wastewater utility should determine the presence of impacted RTOS devices within their environments. Asset owners are encouraged to check this original CISA ICS Advisory (ICSA-21-119-04) Multiple RTOS (Update B) for a partial list of impacted products. In addition, asset owners should work with IT and OT support staff, system integrators, and ICS and IoT manufacturers to determine if any process control systems are vulnerable to this flaw and consider patching or applying appropriate compensating controls/workarounds immediately until a patch can be applied.
WaterISAC-EPA Joint Advisory_BlackBerry QNX_BadAlloc_FINAL