Cybersecurity Vulnerabilities Affecting Drug Manufacturing Equipment

BlackBerry’s QNX real-time operating system may create cybersecurity vulnerabilities, according to FDA.

BlackBerry’s QNX real-time operating system (RTOS) may create cybersecurity vulnerabilities that introduce risks for certain medical devices and drug manufacturing equipment, according to FDA. To date, there aren’t confirmed adverse events related to these vulnerabilities.

In an alert (AA21-229A) by Cybersecurity and Infrastructure Security Agency (CISA) on August 17, 2021, CISA stated that BlackBerry publicly disclosed that its QNX RTOS is affected by a BadAlloc vulnerability—CVE-2021-22156—which is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries. CVE-2021-22156 is an integer overflow vulnerability affecting the calloc function in the C runtime library of multiple BlackBerry QNX products and could be exploited by a remote attacker, causing a denial-of-service condition or execute arbitrary code on affected devices.

FDA stated that manufacturers are assessing which equipment or systems may be affected by the BlackBerry QNX cybersecurity vulnerability. In addition, manufacturers are evaluating the risk and developing mitigations, including deploying patches from BlackBerry.

Organizations impacted by the BlackBerry QNX cybersecurity vulnerabilities should contact FDA. Specifically, drug manufacturers regulated by the Center for Drug Evaluation and Research should contact: cdercybersecurity@fda.hhs.gov.

Source: FDA (Accessed 08/18/2021), Cybersecurity and Infrastructure Security Agency (CISA)