CVE-2024-35213: Critical Vulnerability Discovered in BlackBerry QNX SDP

BlackBerry has issued a critical security advisory for its QNX Software Development Platform (SDP), urging users to promptly patch a severe vulnerability in the SGI Image Codec. This flaw, identified as CVE-2024-35213 and assigned a CVSS score of 9.0 (critical), could allow attackers to trigger a denial-of-service (DoS) condition or even execute malicious code on affected systems.

The vulnerability stems from improper input validation within the SGI Image Codec, potentially allowing attackers to exploit the flaw by tricking targeted systems into processing maliciously crafted SGI-format image files. While BlackBerry is not aware of any active exploitation of this vulnerability, the potential for severe consequences demands immediate action.

Impact and Vulnerable Systems

Successful exploitation of CVE-2024-35213 could lead to system crashes, disruptions in image processing services, or the execution of unauthorized code. The vulnerability affects QNX SDP versions 6.6, 7.0, and 7.1. Fortunately, QNX SDP version 8.0 is not susceptible to this specific flaw.

Mitigation and Workarounds

BlackBerry recommends several mitigation strategies to reduce the risk of exploitation:

1. Patching: Users should promptly update their QNX SDP installations to version 8.0 or later, or apply the fix, as it includes a fix for this vulnerability.

2. Disabling Image API: Systems that do not utilize the QNX Image API (libimg library) are not vulnerable to this particular attack. Administrators can consider disabling this component if it is not essential for their operations.

3. Privilege Restriction: Running the image processing process with non-superuser privileges and limiting its system access can significantly reduce the potential impact of a successful attack. This approach ensures that even if an attacker manages to exploit the vulnerability, their actions will be constrained within a restricted environment.

Recommendations for QNX SDP 7.0 Users

For users of QNX SDP 7.0 who cannot immediately upgrade to version 8.0, BlackBerry strongly recommends restricting the capabilities of processes responsible for decoding SGI format images. By limiting these processes to only the necessary permissions, the potential damage from a successful attack can be mitigated.