BlackBerry’s QNX Software Development Platform (SDP), a widely used real-time operating system in safety-critical industries, is the subject of a recent security advisory. Identified as QNX-2024-003, this advisory details multiple vulnerabilities in the TIFF and PCX image codecs, posing significant risks of information disclosure, denial of service (DoS), and remote code execution (RCE). These vulnerabilities are tracked under CVE-2024-48854, CVE-2024-48855, CVE-2024-48856, CVE-2024-48857, and CVE-2024-48858, with CVSS scores reaching as high as 9.8.
The vulnerabilities impact QNX SDP versions 8.0, 7.1, and 7.0. As per the advisory, “An attacker must induce a target system to parse a maliciously crafted TIFF or PCX format image file” to exploit these vulnerabilities. The resulting impacts include:
- Information Disclosure: CVE-2024-48854 and CVE-2024-48855 allow attackers to access sensitive data within the context of the affected process.
- Denial of Service (DoS): CVE-2024-48857 and CVE-2024-48858 can disrupt system availability by causing application crashes.
- Remote Code Execution (RCE): CVE-2024-48856 enables attackers to execute arbitrary code, potentially compromising the entire system.
BlackBerry states, “QNX is not aware of any exploitation of these vulnerabilities,” but highlights the urgency of mitigating risks in critical systems.
BlackBerry has released updated image codecs to address the vulnerabilities:
- QNX SDP 8.0: Version 0.0.1.00077T202410011913L
- QNX SDP 7.1: Version 0.0.7.00759T202410010845L
- QNX SDP 7.0: Version 7.0.7094.L202410281606
Updates can be downloaded via the QNX Software Center. BlackBerry advises all affected customers to apply these updates promptly.
For organizations unable to immediately update, BlackBerry recommends:
- Restrict Permissions: Run processes using the image codec in non-superuser modes to limit potential damage.
- Avoid Parsing Untrusted Files: Ensure systems do not process image files from unverified sources.
- Monitor System Behavior: Deploy monitoring solutions to detect abnormal activity associated with image parsing.
Related Posts:
- CVE-2024-35213: Critical Vulnerability Discovered in BlackBerry QNX SDP
- Microsoft and BlackBerry Collaborate to provide a secure environment for mobile workforce
- Qualcomm Patches 3 Critical Flaws in January 2024 Security Bulletin
