Off-by-One Error in TIFF Image Codec in QNX SDP by BlackBerry
CVE-2024-48854

7.5HIGH

Key Information:

Vendor

BlackBerry

Status
Qnx Software Development Platform
Vendor
CVE Published:
14 January 2025

What is CVE-2024-48854?

CVE-2024-48854 is a vulnerability that exists within the TIFF image codec of the QNX Software Development Platform (SDP) developed by BlackBerry. This product serves as a real-time operating system primarily used in embedded systems, providing essential functions for various applications, including automotive and industrial control systems. The presence of this vulnerability could allow unauthorized access to sensitive information through an off-by-one error, greatly compromising the security posture of organizations that utilize this software, potentially leading to information leaks and operational disruptions.

Technical Details

The vulnerability is classified as an off-by-one error in the TIFF image codec, which occurs in specific versions of QNX SDP, including 8.0, 7.1, and 7.0. An attacker could exploit this flaw by supplying a maliciously crafted TIFF image, aiming to cause erroneous handling of memory. This could result in information disclosure that impacts the confidentiality of the data being processed by the affected applications. The vulnerability pertains specifically to image processing tasks within the operating system, indicating a narrow but critical failure in the handling of image data.

Potential Impact of CVE-2024-48854

  1. Information Disclosure: The most immediate impact of this vulnerability is the potential for sensitive information to be disclosed to unauthorized entities. Malicious actors could leverage this vulnerability to extract sensitive data processed through the image codec, which could include proprietary information or personal data.

  2. Operational Disruption: Organizations relying on QNX SDP for critical functions may face operational disruptions if the vulnerability is exploited. The unauthorized disclosure of information could lead to compliance violations, damage to organizational reputation, and potentially result in financial losses.

  3. Increased Attack Surface: The existence of this vulnerability could serve as a gateway for further attacks on systems utilizing QNX SDP. Once an attacker gains preliminary access, they may seek to exploit additional vulnerabilities or launched more sophisticated attacks, exacerbating the overall security risk to the organization.

References

https://support.blackberry.com/pkb/s/article/140334

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.