Joint WaterISAC – U.S. Environmental Protection Agency Advisory

On Tuesday, August 17, 2021 the Cybersecurity and Infrastructure Security Agency (CISA) published an alert highlighting a vulnerability named “BadAlloc” (CVE-2021-22156) that has been identified in the BlackBerry (BB) QNX Real Time Operating System (RTOS) that is used in a wide range of Industrial Control Systems (ICS). Additionally, several other manufacturers have developed their own proprietary versions of this RTOS using similar technology to the BB QNX, which leaves their products vulnerable to the BadAlloc flaw as well.

Attention: Every water and wastewater utility should determine the presence of impacted RTOS devices within their environments. Asset owners are encouraged to check this original CISA ICS Advisory (ICSA-21-119-04) Multiple RTOS (Update C) for a partial list of impacted products. In addition, asset owners should work with IT and OT support staff, system integrators, and ICS and IoT manufacturers to determine if any process control systems are vulnerable to this flaw and consider patching or applying appropriate compensating controls/workarounds immediately until a patch can be applied.

What you need to know.

• A high-risk vulnerability impacting real-time operating systems (RTOS’s) known as BadAlloc has been identified in BlackBerry QNX RTOS Versions 6.5 SP1 and earlier.
• BadAlloc was originally disclosed by Microsoft in April 2021 as a type of remote code execution vulnerability affecting Internet of Things (IoT) devices and industrial equipment that is specifically used in industrial/OT, medical, and corporate networks.
• In May 2021, CISA issued a public disclosure regarding BadAlloc and its impact to RTOS’s in other manufacturer’s products.
• BlackBerry states that QNX RTOS is used in more than 500 million endpoint products, including more than 300 million embedded systems around the world across a range of industries such as aerospace, defense, automotive, commercial vehicles, heavy machinery, industrial controls, medical, rail, and robotics. Visit BlackBerry for a list of affected products.
• Given widespread usage among industrial control systems, it is important for water and wastewater sector entities to assess their environments for deployment of vulnerable components.

For more on why this is a concern, patch status, recommended actions, and additional infomation, access the attachment below.

WaterISAC and EPA will continue to share information with members and partners as more is learned about this vulnerability. Likewise, all water and wastewater utilities are encouraged to share information with WaterISAC by emailing analyst@waterisac.org, calling 866-H20-ISAC, or using the online incident reporting form.