A critical vulnerability has been identified in multiple products utilizing The Biosig Project's libbiosig library. This flaw allows an attacker to execute arbitrary code on a user's system by tricking them into opening a specially crafted MFER file, potentially leading to a full system compromise.

The vulnerability is a stack-based buffer overflow within the MFER file parsing functionality of the libbiosig library (version 3.9.1). An attacker can create a malicious MFER file containing a specific data structure (Tag 131) that, when processed by an application using the vulnerable library, causes more data to be written to a memory buffer on the stack than it can hold. This overflow can overwrite critical program data, including the return address, allowing the attacker to redirect the program's execution flow to malicious code embedded in the file, resulting in arbitrary code execution with the permissions of the user running the application.

This vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high risk to the organization. Successful exploitation could lead to a complete compromise of the affected workstation or server. The consequences include, but are not limited to, theft of sensitive data, deployment of ransomware, installation of persistent backdoors for long-term access, and using the compromised system as a pivot point to attack other resources on the internal network. The attack requires minimal user interaction (opening a file), making it a significant threat through phishing or "drive-by-download" scenarios.

Immediate Action:

• Identify all products within the environment that utilize the vulnerable libbiosig library.
• Update all affected products to the latest patched version as recommended by the respective vendors.
• Prioritize patching for systems accessible by users who handle external files and for critical servers.

Proactive Monitoring:

• Monitor for the presence of MFER files from untrusted sources on endpoints and network shares.
• Configure Endpoint Detection and Response (EDR) solutions to alert on suspicious process behavior, such as applications that handle MFER files spawning unexpected child processes (e.g., cmd.exe, powershell.exe).
• Review application logs for errors or crashes related to MFER file parsing, as these could indicate failed exploitation attempts.

Compensating Controls:

• If immediate patching is not feasible, implement user awareness campaigns warning against opening MFER files from untrusted emails or websites.
• Use application control or whitelisting to prevent unauthorized software from executing.
• Block the MFER file type at the email gateway and web filter to reduce the likelihood of users receiving a malicious file.
• Ensure antivirus and EDR signatures are up-to-date to potentially detect and block exploit payloads.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for complete system compromise, organizations must treat this vulnerability with the highest priority. The primary recommendation is to apply vendor-supplied patches to all affected systems immediately. Although there is no current evidence of active exploitation, the simplicity of the attack vector (opening a file) makes it an attractive target for threat actors. If patching is delayed, implement the suggested compensating controls to reduce the attack surface and increase monitoring for potential signs of compromise.