CVE-2024-23606
📋 TL;DR
This vulnerability allows arbitrary code execution via an out-of-bounds write in libbiosig's FAMOS file parser. Attackers can exploit it by providing a malicious .famos file, potentially leading to full system compromise. Systems using libbiosig 2.5.0 or the master branch for processing biomedical signal files are affected.
💻 Affected Systems
- The Biosig Project libbiosig
📦 What is this software?
Fedora by Fedoraproject
Libbiosig by Libbiosig Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with highest privileges, complete system takeover, data exfiltration, and lateral movement within the network.
Likely Case
Local privilege escalation or remote code execution when processing untrusted .famos files, potentially compromising the application and underlying system.
If Mitigated
Denial of service or application crash if exploit fails, with limited impact due to proper sandboxing and file validation.
🎯 Exploit Status
Exploitation requires providing a malicious .famos file to the vulnerable function, which is straightforward for attackers with file upload capabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check upstream repository for fixed version
Vendor Advisory: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OIRLGNQM33KAWVWP5RPMAPHWNP3IY5YW/
Restart Required: Yes
Instructions:
1. Check for updated libbiosig package from your distribution. 2. Apply security updates via package manager. 3. Restart affected services using libbiosig. 4. Recompile applications if using library directly.
🔧 Temporary Workarounds
Disable FAMOS file processing
allTemporarily disable or block .famos file processing in applications using libbiosig.
Configure application to reject .famos files
Implement file extension filtering at network perimeter
Sandbox libbiosig usage
linuxRun applications using libbiosig in isolated containers or with reduced privileges.
docker run --security-opt no-new-privileges image
setcap -r /usr/lib/libbiosig.so
🧯 If You Can't Patch
- Implement strict file upload validation rejecting .famos files from untrusted sources.
- Deploy application-level firewalls to monitor and block suspicious file processing activities.
🔍 How to Verify
Check if Vulnerable:
Check libbiosig version: dpkg -l | grep libbiosig or rpm -qa | grep libbiosig. Version 2.5.0 or master branch indicates vulnerability.Check Version:
dpkg -l | grep libbiosig # Debian/Ubuntu
rpm -qa | grep libbiosig # RHEL/Fedora
pkg-config --modversion libbiosig # Source buildsVerify Fix Applied:
Verify updated version is installed and no longer matches vulnerable version range. Test with known safe .famos files.📡 Detection & Monitoring
Log Indicators:
- Application crashes when processing .famos files
- Unexpected process spawning from libbiosig applications
- Failed file parsing errors in application logs
Network Indicators:
- Unexpected .famos file uploads to web applications
- Network traffic from libbiosig processes to suspicious destinations
SIEM Query:
source="application.log" AND ("libbiosig" OR ".famos") AND (error OR crash OR exception)🔗 References
- https://talosintelligence.com/vulnerability_reports/TALOS-2024-1925
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OIRLGNQM33KAWVWP5RPMAPHWNP3IY5YW/
- https://talosintelligence.com/vulnerability_reports/TALOS-2024-1925
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1925
