When an organization discovers a potentially harmful security vulnerability, it faces a difficult ethical decision. Should it try to quietly mitigate the situation? Or should it go public with the information and risk blowback?
This is a decision that CISOs and executives must make with their bottom line in mind, and it's never an easy choice.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a security advisory addressing a vulnerability discovered in BlackBerry's QNX operating system known as BadAlloc.
BlackBerry QNX is an "all-purpose technology built for the world's most critical embedded systems." It is used in over 195 million vehicles and spans multiple industries, including aerospace and defense, automotive, commercial vehicles, heavy machinery, industrial controls, medical, rail, and robotics.
Despite this vulnerability potentially affecting various critical infrastructure entities, BlackBerry made the decision to keep quiet about it. Other organizations affected by the same BadAlloc vulnerability went public with the information in May of this year.
Here is what CISA warns about the vulnerability:
"On August 17, 2021, BlackBerry publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerability—CVE-2021-22156. BadAlloc is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries. A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices. BlackBerry QNX RTOS is used in a wide range of product whose compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the Nation's critical functions.
At this time, CISA is not aware of active exploitation of this vulnerability.
CISA strongly encourages critical infrastructure organizations and other organization developing, maintaining, supporting, or using affected QNX-based systems, to patch affected products as quickly as possible. Refer to the Mitigations section for more information about patching."
BlackBerry waits to disclose vulnerability to public
Earlier this year, the Microsoft Security Response Center (MSRC) announced it had discovered the BadAlloc vulnerability in multiple companies, which could affect a wide range of IoT and OT devices in industrial, medical, and enterprise networks.
Many of the companies worked with CISA to publicly disclose the information to help users patch their devices. BlackBerry decided to take a different approach.
Instead of doing what the other companies were doing, BlackBerry told CISA it did not believe BadAlloc had impacted its products. CISA felt differently from BlackBerry and urged the company to acknowledge the vulnerability and go public with the information, according to Politico.
At first, BlackBerry had no intention of going public and told CISA it would reach out to its affected customers privately, but it ran into a slight problem.
BlackBerry could not identify everyone using the QNX software. This was because BlackBerry licenses QNX to "original equipment manufacturers" who use the technology to build products for their customers. BlackBerry admits that its known customers are a comparatively small group.
CISA came to BlackBerry again to convince them to go public, citing potential risks to national security, and the Department of Defense was working on finding an acceptable time for BlackBerry to make the announcement.
BlackBerry then realized it was time and agreed to make a public announcement by publishing an alert of the BadAlloc vulnerability.
Andrew King, CISO at BreachQuest, discusses the difficult decision BlackBerry faced:
"The head-in-the-sand approach continues to come back to bite companies. Software supply chain issues are main stage now, and are the gateway drug to extortion, ransomware, and botnets.
It is always worse to be forced into disclosure than to take early, proactive measures to show your consumers that you're doing everything in your power to keep their data (and in this case their physical security) safe. Getting experienced security executives a seat at the table, and ensuring that they have direct lines of accountability to the board, is one of the first steps towards destroying the toxic management culture of keep things as quiet as possible for as long as possible.
Instead of being just another company on the list of companies that were impacted by this vulnerability, they now have a story dedicated solely to their intentional decision to minimize impact. In today's world, no one expects perfection. Things happen. But showing that you have integrity, and maintaining accountability in your business practices, will set you apart from your competitors. If I was sourcing from BlackBerry I would be asking myself, 'What else are they hiding?'"
Mitigations to BadAlloc vulnerability
CISA provides some mitigations in its security advisory and urges critical infrastructure organizations, or anyone, using QNX systems to patch their affected products as quickly as possible.
Here are the mitigations:
- "Manufacturers of products that incorporate vulnerable versions should contact BlackBerry to obtain the patch."
- "Manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code. Note: in some cases, manufacturers may need to develop and test their own software patches."
- "End users of safety-critical systems should contact the manufacturer of their product to obtain a patch. If a patch is available, users should apply the patch as soon as possible. If a patch is not available, users should apply the manufacturer's recommended mitigation measures until the patch can be applied. Note: installation of software updates for RTOS frequently may require taking the device out of service or to an off-site location for physical replacement of integrated memory."
For more information on the BadAlloc vulnerability, you can see CISA's security advisory.
