Full Report
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed vulnerabilities in Biosig Project Libbiosig, Grassroot DiCoM, and Smallstep step-ca.The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy, except for Grassroot, as the
Analysis Summary
This summary consolidates the vulnerabilities disclosed by the Cisco Talos team in Libbiosig, Grassroot DiCoM, and Smallstep step-ca. Note that the Grassroot DiCoM details are incomplete regarding patching timelines as per the context provided.
---
# Vulnerability: Multiple Vulnerabilities in Libbiosig, Grassroot DiCoM, and Smallstep step-ca
## CVE Details
Multiple CVEs are mentioned across the three products.
**Libbiosig (TALOS-2025-2296)**
- CVE ID: CVE-2025-66043 - CVE-2025-66048 (Range)
- CVSS Score: *Not explicitly provided in the text*
- CWE: Stack-based buffer overflow
**Grassroot DiCoM (TALOS-2025-2210, TALOS-2025-2211, TALOS-2025-2214)**
- CVE ID: CVE-2025-53618 - CVE-2025-53619 (TALOS-2025-2210)
- CVE ID: CVE-2025-52582 (TALOS-2025-2211)
- CVE ID: CVE-2025-48429 (TALOS-2025-2214)
- CVSS Score: *Not explicitly provided in the text*
- CWE: Out-of-bounds read
**Smallstep step-ca (TALOS-2025-2242)**
- CVE ID: CVE-2025-44005
- CVSS Score: *Not explicitly provided in the text*
- CWE: Authentication Bypass
## Affected Systems
- **Products:**
- Biosig Project Libbiosig
- Grassroot DiCoM
- Smallstep step-ca
- **Versions:**
- Libbiosig: Version 3.9.1
- Grassroot DiCoM, Smallstep step-ca: *Specific vulnerable versions not listed.*
- **Configurations:**
- Libbiosig: Only affects MFER parsing functionality.
- Smallstep step-ca: Affects ACME or SCEP provisioners.
## Vulnerability Description
**Libbiosig (Buffer Overflows):** Several stack-based buffer overflow vulnerabilities exist in the MFER parsing functionality. An attacker supplying a specially crafted MFER file can trigger these flaws.
**Grassroot DiCoM (Out-of-Bounds Reads):** Three distinct vulnerabilities involving out-of-bounds reads were found. Triggered by a malicious file, these result in information leaks or heap data leaks.
**Smallstep step-ca (Authentication Bypass):** A vulnerability allows an attacker to bypass authorization checks, forcing a Step-CA ACME or SCEP provisioner to create certificates without completing required protocol authorization steps.
## Exploitation
- **Status:** PoC availability is *implied* for triggering the flaws, but it is not explicitly stated if PoCs are public. The context indicates these were disclosed under policy, except for Grassroot which is noted as zero-day disclosures.
- **Complexity:** *Not explicitly provided.* (Likely Low/Medium given the file parsing reliance for the first two).
- **Attack Vector:** Likely Network/Adjacent (via file provision/delivery).
## Impact
| Vulnerability | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| Libbiosig (BO) | High (Code Execution) | High (Code Execution) | High (Crash/Denial of Service) |
| DiCoM (OOB Read) | High (Information Leak) | Low/Medium | Medium (Crash/DoS) |
| step-ca (Auth Bypass) | Potential High (Unauthorized Certs) | High (Unauthorized Activity) | Low/Medium |
## Remediation
### Patches
- **Libbiosig:** Patched by the vendor (as per adherence to disclosure policy).
- **Smallstep step-ca:** Patched by the vendor (as per adherence to disclosure policy).
- **Grassroot DiCoM:** The context states vulnerabilities were disclosed, but notes a deviation from the standard policy regarding Grassroot (implying the patching status might be complex or pending based on the provided snippet). **Specific patch versions are not detailed.**
### Workarounds
- *No specific workarounds were listed in the provided context.*
## Detection
- **Indicators of Compromise:**
- Anomalous processing or crashing related to MFER file usage (Libbiosig).
- Unexpected data leaks or heap memory access failures (DiCoM).
- Unauthorized certificate issuance via ACME/SCEP endpoints (step-ca).
- **Detection Methods and Tools:**
- Download the latest rule sets from Snort.org for coverage against exploitation.
## References
- Vendor advisories are likely available by searching the TALOS-ID followed by the corresponding link (though the links themselves are the blog URLs).
- **General Reference:** Cisco Talos Intelligence Website (for Vulnerability Reports)
- **Specific Reports:**
- TALOS-2025-2296
- TALOS-2025-2210, TALOS-2025-2211, TALOS-2025-2214
- TALOS-2025-2242