A newly disclosed flaw in software from BlackBerry Ltd. has resulted in warnings from U.S. government authorities due to its serious nature.

The flaw, described as a BadAlloc vulnerability, has been founded in BlackBerry’s QNX Real Time Operating System. QNX is a commercial Unix-like real-time operating system primarily used in embedded systems. The software can be found in medical devices, cars, factories and even the International Space Station.

According to an alert today from BlackBerry, the vulnerability affects QNX Software Development Platform version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier. Exploiting the vulnerability, an attacker could perform a denial-of-service attack or execute arbitrary code. BlackBerry noted that it’s not aware of any exploitation of the vulnerability.

Due to the potential risks from the vulnerability given the sorts of devices the software can be found in, both the U.S. Department of Homeland Security’s Cyberstructure and Infrastructure Agency and the Food and Drug Administration issued formal alerts.

The CISA alert noted that all BlackBerry programs with dependency on the C runtime library are affected by the vulnerability and provides a longer list of QNX products affected than Blackberry did. The FDA notes that the vulnerability “may introduce risks for certain medical devices, as well as pharmaceutical or medical device manufacturing equipment.” Both CISA and the FDA said they were not aware of any adverse events related to the issue.

Announcements that certain software has security issues are not uncommon, but where this takes a twist is that it’s alleged that BlackBerry knew of the flaw and did not disclose it until now. The BadAlloc flaw in the BlackBerry software is not related to BlackBerry software alone and was detailed by Microsoft in April.

Worse still, it’s alleged that BlackBerry was forced to disclose the issue. Politico reported that BlackBerry held discussions with federal cybersecurity officials and initially denied BadAlloc affected its products and later resisted making a public announcement.

Blackberry allegedly told CISA that it intended to reach out privately to its direct customers and warn them about the QNX issue, but there was a catch. Blackberry allegedly told CISA that it couldn’t identify everyone using its software to warn them. CISA then pressured BlackBerry to make the disclosure.

BlackBerry has not denied that it initially resisted a public disclosure. “Software patching communications occur directly to our customers,” a company spokesperson said. “However, we will make adjustments to this process in order to best serve our customers.”

The good news for those affected is that updates that address the BadAlloc vulnerability are available from BlackBerry.

“The head-in-the-sand approach continues to come back to bite companies,” AJ King, chief information security officer at incident response company BreachQuest Inc., told SiliconANGLE. “Software supply chain issues are main stage now and are the gateway drug to extortion, ransomware and botnets.”

It’s worse to be forced into disclosure than to take early, proactive measures, King explained. “Getting experienced security executives a seat at the table and ensuring that they have direct lines of accountability to the board is one of the first steps towards destroying the toxic management culture of keeping things as quiet as possible for as long as possible,” he said.

Setu Kulkarni, vice president, strategy at NTT Application Security, said this may spur a new debate.

“Is there any circumstance where keeping such widespread vulnerabilities under wraps is beneficial?” Kulkarni asked. “After all, unlike physical adversarial threats, cyber threats cannot be seen or contained by borders or treaties. In this case, the earlier the disclosure is, the earlier preventative measures can be rolled out.”

Kulkarni acknowledged that disclosures may be perceived as painting a target on devices that use QNX. “But assuming that cybercriminals wait for disclosures in this day and age is naïve,” he said. “With the Presidential EO on supply-chain risk mitigation, there is a heightened impetus on information sharing – and that should be the go-forward approach on most if not all disclosures especially when there is no comprehensive way to privately reach out to thousands of manufacturers who have 100s of millions of systems using their components.”

Photo: BlackBerry