Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2933 BlackBerry QNX-2021-001 Vulnerability Affecting Cisco Products: August 2021 31 August 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Products Publisher: Cisco Systems Operating System: Cisco Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: None CVE Names: CVE-2021-22156 Reference: ESB-2021.1489.2 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qnx-TOxjVPdL Comment: On August 17, 2021, BlackBerry released a security advisory, QNX-2021-001, that disclosed an integer overflow vulnerability. Cisco has completed its investigation into its product line to determine which products may be affected by this vulnerability. No products are known to be affected. This advisory is being sent for awareness only. - --------------------------BEGIN INCLUDED TEXT-------------------- BlackBerry QNX-2021-001 Vulnerability Affecting Cisco Products: August 2021 Priority: Critical Advisory ID: cisco-sa-qnx-TOxjVPdL First Published: 2021 August 18 16:00 GMT Last Updated: 2021 August 25 14:44 GMT Version 1.4: Final Workarounds: No workarounds available CVE Names: CVE-2021-22156 CWEs: CWE-190 Summary o On August 17, 2021, BlackBerry released a security advisory, QNX-2021-001 , that disclosed an integer overflow vulnerability in the following BlackBerry software releases: QNX Software Development Platform (SDP) - 6.5.0SP1 and earlier QNX OS for Medical - 1.1 and earlier QNX OS for Safety - 1.0.1 and earlier A successful exploit could allow an attacker to execute arbitrary code or cause a denial of service (DoS). For a description of this vulnerability, see QNX-2021-001 . This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qnx-TOxjVPdL Affected Products o Vulnerable Products Cisco has completed its investigation into its product line to determine which products may be affected by this vulnerability. No products are known to be affected. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases. Products Confirmed Not Vulnerable The following Cisco products leverage the affected QNX software; however, Cisco has confirmed that the vulnerability is not exploitable on these platforms. Routing and Switching - Enterprise and Service Provider Channelized shared port adapters (SPAs) ( CSCvz34866 ) Circuit Emulation over Packet (CEoP) SPAs ( CSCvz34865 ) IOS XR 32-bit Software ( CSCvz34871 ) Note: IOS XR 64-bit Software does not leverage QNX software. RF Gateway 10 ( CSCvz34869 ) No other Cisco products are known to be affected by this vulnerability. Workarounds o Any workarounds are documented in the product-specific Cisco bugs, which are identified in the Vulnerable Products section of this advisory. Fixed Software o For information about fixed software releases , consult the Cisco bugs identified in the Vulnerable Products section of this advisory. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of this vulnerability against Cisco products or services. Source o This vulnerability was publicly disclosed by BlackBerry on August 17, 2021. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qnx-TOxjVPdL Revision History o +---------+-------------------------+-------------+---------+-------------+ | Version | Description | Section | Status | Date | +---------+-------------------------+-------------+---------+-------------+ | | Updated summary and | Summary, | | | | 1.4 | affected products. | Affected | Final | 2021-AUG-25 | | | | Products | | | +---------+-------------------------+-------------+---------+-------------+ | | Updated products under | | | | | 1.3 | investigation and | Affected | Interim | 2021-AUG-24 | | | products confirmed not | Products | | | | | vulnerable. | | | | +---------+-------------------------+-------------+---------+-------------+ | 1.2 | Added products under | Affected | Interim | 2021-AUG-23 | | | investigation. | Products | | | +---------+-------------------------+-------------+---------+-------------+ | 1.1 | Corrected broken link. | Workarounds | Interim | 2021-AUG-20 | +---------+-------------------------+-------------+---------+-------------+ | 1.0 | Initial public release. | - | Interim | 2021-AUG-18 | +---------+-------------------------+-------------+---------+-------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYS21A+NLKJtyKPYoAQjdgQ/+PZPrt1cVcRs93IdgcjXcNWGifnxI0Cmt +qbPjaJgAu3vLe+EFBZtioD1vI6HXnK5RcywirvXOoD1hl70wNZVQ0f/fOhKCZ5X JGaJgM6Qv0qfdGrWbg9h1Z1vVn/84TZWAlK8QjsVhsLFPAeFVa+B9FnyM6tCQyhP yke1pelkX0/S5ynT6SgJLvcmuN4U0vABxE5itoCIFYyxvATPjlk2PTxk9r55osaa n1LESWTEXIWYnO3JpU58kx0K2jcATMV3e183li6tJ4BGcTnMTICJvKv/K0NE04US csgvaMFJpIkhvrt1A7KAWwjZNolZDPtK/gqiNHCwZG2rCHcwf7BEgOzg3F0x3xYL uLZOglgMpcdEonYzGwVnvRToEHwwzZ4xy0qt4xxh4jnhED1Rk60iFNORjAWEIHQ9 O6z48iQV+s02QYvo65XiXlTl7Tid1zfxhcjgJV5JCbXWnGc4W4T6mFN2lMwF7m9E M3F3H4HgrYgUY1HX+73f7O5m4R6D+y+inPmCkJkJG6a00nT36qjqjS+xdgAU2f7n 5kpEh+HSISdHM+2T9bEzESob7uRuuxbLZMT3E9iPQ5EePfhGBhevLmxj9q72tUQG 0TasGqvBsS1qSIJcVd/iUQMew4qWWEW8ysZ/g79fGo8dV4AdJH2yaz6ZiaIyjVGD Dgk1/PHwUm0= =1dSb -----END PGP SIGNATURE-----