The Coast Guard Cyber Command, Maritime Cyber Readiness Branch has issued Maritime Cyber Alert 02-21 recommending the Maritime community examine their systems to determine if they contain BlackBerry QNX versions 6.5 or below, or any of the other products identified by CISA listed in ICSA-21-119-04: Multiple RTOS (Update B).
The recent public disclosure from BlackBerry regarding the “BadAlloc” vulnerability in their QNX OS versions 6.5 and earlier, should put all organizations on continued alert for threats and vulnerabilities to the cyber landscape. “BadAlloc” is the name assigned to the family of vulnerabilities discovered in embedded Internet of Things (IoT) and Operational Technology (OT) operating systems and software to describe a class of memory overflow vulnerabilities.
A device with these exploitable vulnerabilities may enable malicious actors to deny system availability, ex-filtrate data, and move laterally within the systems in which they are installed. These malicious actions can lead to consequences for systems and their users, ranging from loss of data and trust, to physical harm and loss of life.
If your organization identifies a vulnerability or has any questions related to this alert, such as technical assistance with the mitigation actions, please contact U.S. Coast Guard at: email@example.com, or for immediate assistance call the Coast Guard Cyber Command 24×7 Watch at 202-372-2904.