A critical vulnerability has been identified in multiple products utilizing The Biosig Project's libbiosig library. This flaw allows an attacker to execute arbitrary code and gain full control of an affected system by tricking a user into opening a specially crafted MFER file. Due to the high severity and potential for complete system compromise, immediate remediation is strongly advised.

This vulnerability is a stack-based buffer overflow within the MFER (Medical waveform Format Encoding Rules) file parsing functionality of the libbiosig library. An attacker can create a malicious MFER file containing a specific data structure (when Tag is 64) that causes the application to write data beyond the intended buffer on the stack. This memory corruption can be leveraged by the attacker to overwrite critical program control data, leading to the execution of arbitrary code with the same privileges as the user who opened the file.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the affected workstation or server. The potential consequences include theft of sensitive data, deployment of ransomware, installation of persistent backdoors, or using the compromised system as a pivot point to attack other internal network resources. The direct business risks are significant, encompassing data breaches, operational disruption, financial loss, and reputational damage.

Immediate Action: The primary remediation is to identify all affected assets and update the software to the latest patched version as provided by the respective vendors. After patching, it is crucial to monitor for any signs of post-exploitation activity and review system and application access logs for any unusual file access patterns related to MFER files.

Proactive Monitoring: Implement enhanced monitoring and alerting through Security Information and Event Management (SIEM) or Endpoint Detection and Response (EDR) tools. Specifically, monitor for applications that process MFER files spawning unusual child processes (e.g., cmd.exe, powershell.exe), making unexpected network connections, or writing new executable files to disk. Create alerts for the presence of malformed MFER files on the network or endpoints.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Use application control or whitelisting to prevent the affected software from executing unauthorized code.
• Restrict the ability of users to open MFER files from untrusted sources, such as email attachments or internet downloads.
• Deploy network intrusion prevention systems (NIPS) with rules to detect and block attempts to transfer malicious MFER files.
• Educate users on the dangers of opening unsolicited attachments.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) and the potential for complete system compromise via a user-triggered action, this vulnerability poses a significant risk to the organization. We strongly recommend that all system owners prioritize the immediate application of vendor-supplied patches. Although this CVE is not currently on the CISA KEV list, its high impact score makes it a prime candidate for future inclusion and an attractive target for attackers. Treat this vulnerability with the highest urgency.