CVE-2024-23310
📋 TL;DR
A use-after-free vulnerability in libbiosig's sopen_FAMOS_read function allows arbitrary code execution when processing malicious .famos files. This affects systems using libbiosig 2.5.0 and the master branch up to commit ab0ee111 for parsing biomedical signal data files. Attackers can achieve remote code execution by tricking users or automated systems into opening crafted files.
💻 Affected Systems
- The Biosig Project libbiosig
📦 What is this software?
Fedora by Fedoraproject
Libbiosig by Libbiosig Project
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the application processing the .famos file, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Remote code execution on systems that automatically process .famos files from untrusted sources, such as biomedical research platforms or file upload services.
If Mitigated
Limited to denial of service if application runs with minimal privileges and proper sandboxing/isolation.
🎯 Exploit Status
Exploitation requires delivering a malicious .famos file to a vulnerable system. No authentication is needed if the system processes files from untrusted sources.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check upstream repository for fixes after commit ab0ee111
Vendor Advisory: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OIRLGNQM33KAWVWP5RPMAPHWNP3IY5YW/
Restart Required: Yes
Instructions:
1. Check current libbiosig version. 2. Update to patched version from official repository. 3. Rebuild and reinstall any applications using libbiosig. 4. Restart affected services.
🔧 Temporary Workarounds
Disable .famos file processing
allTemporarily disable functionality that processes .famos files until patching is complete.
# Modify application configuration to reject .famos files
# Implement file type validation to block .famos extensions
Sandbox libbiosig usage
linuxRun applications using libbiosig in isolated containers or with minimal privileges.
# Use Docker: docker run --read-only --cap-drop=ALL -u nobody app
# Use systemd: SystemCallFilter=~@privileged @resources
🧯 If You Can't Patch
- Implement strict file upload validation to reject .famos files from untrusted sources.
- Deploy application allowlisting to prevent execution of unauthorized code.
🔍 How to Verify
Check if Vulnerable:
Check libbiosig version: biosig-tools --version or examine source code for commit hash.Check Version:
biosig-tools --version 2>&1 | head -1Verify Fix Applied:
Verify updated version no longer contains vulnerable commit ab0ee111 and test with known safe .famos files.📡 Detection & Monitoring
Log Indicators:
- Application crashes when processing .famos files
- Unexpected process spawning from libbiosig applications
- Memory access violation errors in system logs
Network Indicators:
- Unexpected outbound connections from systems processing .famos files
- File uploads with .famos extension to vulnerable endpoints
SIEM Query:
source="*app.log" AND ("segmentation fault" OR "use-after-free" OR "libbiosig")🔗 References
- https://talosintelligence.com/vulnerability_reports/TALOS-2024-1923
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OIRLGNQM33KAWVWP5RPMAPHWNP3IY5YW/
- https://talosintelligence.com/vulnerability_reports/TALOS-2024-1923
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1923
