The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the ISO9660 filesystem parser where the parse_susp() function trusts len_id, len_des, and len_src fields from the disk image to memcpy data into a stack buffer without verifying that the source data falls within the parsed SUSP block. An attacker can craft a malicious ISO image that causes reads past the end of the SUSP data buffer, and a zero-length SUSP entry can trigger an infinite parsing loop.
Attack Parameters
Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
Passive
Minimal interaction
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
None
No data modification
Availability
Low
Partial disruption
CVSS Vector v4.0
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Sleuthkit The_Sleuth_Kit
cpe:2.3:a:sleuthkit:the_sleuth_kit:*:*:*:*:*:*:*:*
|
— |
4.14.0
|
References 4
https://github.com/sleuthkit/sleuthkit/commit/a95b0ac21733b059a517aaefa667a17e1…
disclosure@vulncheck.com
https://github.com/sleuthkit/sleuthkit/pull/3445
disclosure@vulncheck.com
https://mobasi.ai/sentinel
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/sleuth-kit-iso9660-susp-extension-referenc…
disclosure@vulncheck.com