Cybersecurity News

CISA Says BlackBerry Vulnerability to Impact Medical Device Security

CISA issued a new alert on medical device security.

A new CISA alert is issued for medical devices.

Source: Getty Images

By Lisa Gentes-Hunt

- The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on August 17 that it said could concern medical device security. 

The alert includes medical devices that use older versions of BlackBerry QNX products. 

The alert is for “devices incorporating older versions of multiple BlackBerry QNX products affected by a BadAlloc vulnerability,” the alert states. “A malicious actor could exploit this vulnerability to take control of an affected system or cause a denial-of-service condition.” 

“Because devices incorporating older versions of BlackBerry QNX products support critical infrastructure and national critical functions, CISA is strongly urging all organizations whose devices use affected QNX-based systems to immediately apply the mitigations provided in CISA Alert AA21-229A and Blackberry Advisory QNX-2021-001,” it states.  

BlackBerry disclosed the issues on August 17, according to the CISA alert.  

“BlackBerry publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerability—CVE-2021-22156. BadAlloc is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries,” the CISA alert notes. “A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices.” 

Currently, CISA is not aware of any active exploitation resulting from the BlackBerry vulnerability, it states.  

“CISA strongly encourages critical infrastructure organizations and other organizations developing, maintaining, supporting, or using affected QNX-based systems, to patch affected products as quickly as possible,” it notes.  

CISA recommends that manufactures contact BlackBerry to obtain the patch.  

Those users of “safety-critical systems should contact the manufacturer of their product to obtain a patch. If a patch is available, users should apply the patch as soon as possible. If a patch is not available, users should apply the manufacturer's recommended mitigation measures until the patch can be applied,” the alert states.