A critical vulnerability exists in a widely used software library, libbiosig, which is embedded in multiple products. An attacker can exploit this flaw by tricking a user into opening a specially crafted MFER file, allowing the attacker to take full control of the affected system. This could lead to data theft, installation of malware, or complete system compromise.

The vulnerability is a stack-based buffer overflow within the MFER file parsing functionality of the libbiosig library. An attacker can craft a malicious MFER file containing a specific data structure (where Tag is 65) that exceeds the buffer size allocated on the stack. When a user opens this malicious file with an application using the vulnerable library, the overflow occurs, allowing the attacker to overwrite adjacent memory and execute arbitrary code with the privileges of the user running the application.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could have a severe impact on the business, leading to a complete compromise of system confidentiality, integrity, and availability. An attacker could execute arbitrary code to install ransomware, exfiltrate sensitive data, pivot to other systems on the network, or disrupt critical operations. The reputational damage and financial costs associated with a breach resulting from this vulnerability could be substantial.

Immediate Action: The primary remediation is to apply security updates immediately. Update Several Multiple Products to the latest version as recommended by the respective vendors to patch the underlying libbiosig library. After patching, monitor for any signs of exploitation attempts and review system and application access logs for anomalous activity.

Proactive Monitoring: Implement enhanced monitoring for systems where the vulnerable software is installed. Look for the creation of suspicious MFER files on endpoints and file shares. Monitor for unusual process behavior or unexpected child processes spawned by applications that handle MFER files. Analyze network traffic for any outbound connections from affected systems to unknown or malicious destinations.

Compensating Controls: If patching cannot be immediately deployed, implement the following controls to reduce risk:

• Use application control or whitelisting to prevent the execution of unauthorized software on affected systems.
• Restrict the processing of MFER files from untrusted or external sources.
• Deploy Endpoint Detection and Response (EDR) solutions to detect and block memory exploitation techniques and subsequent malicious activity.
• Ensure antivirus and anti-malware signatures are up-to-date.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability represents a significant risk to the organization. The required user interaction (opening a malicious file) is a low barrier for attackers using common social engineering techniques. We strongly recommend that organizations prioritize the immediate identification of all affected products and deploy the necessary patches without delay. While it is not yet on the CISA KEV list, its severity warrants treating it with the highest urgency.