CVE-2025-65500
BaseFortify
Publication date: 2025-11-24
Last updated on: 2025-12-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libcoap | libcoap | 4.3.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a NULL pointer dereference in the function coap_dtls_generate_cookie() within the libcoap 4.3.5 library's OpenSSL integration. Specifically, when the OpenSSL function SSL_get_SSL_CTX() returns NULL (indicating an invalid or uninitialized SSL object), libcoap does not check this return value and proceeds to use the NULL pointer. This leads to a segmentation fault (crash) during the DTLS handshake process because libcoap calls SSL_CTX_get_app_data() with a NULL SSL_CTX pointer, causing a read access violation in OpenSSL's internal functions. [2]
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) by crashing the application using libcoap during DTLS handshake processing. A remote attacker can send a specially crafted DTLS handshake message that triggers the NULL pointer dereference, causing the application to crash and become unavailable. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or segmentation faults in the libcoap process during DTLS handshake attempts, especially those involving crafted DTLS packets. Using AddressSanitizer or similar memory error detection tools can help identify null pointer dereference crashes related to SSL_get_SSL_CTX() returning NULL. Additionally, network traffic capturing tools like Wireshark or tcpdump can be used to analyze DTLS handshake packets for anomalies or malformed cookies that might trigger the issue. There are no specific commands provided in the resources, but general commands include: 1) Running libcoap with AddressSanitizer enabled to catch null pointer dereferences. 2) Using 'tcpdump -i <interface> port 5684' (default DTLS port for CoAP) to capture DTLS handshake packets. 3) Checking system logs or core dumps for segmentation faults related to libcoap. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update libcoap to a version that includes the patch fixing this vulnerability, which adds proper validation of the SSL_get_SSL_CTX() return value to prevent null pointer dereference. The fix is included in a security update that adds comprehensive return value checks for OpenSSL functions in coap_openssl.c. Until the update can be applied, consider restricting or filtering DTLS handshake traffic from untrusted sources to reduce exposure to crafted packets that trigger the issue. Monitoring and restarting the libcoap service upon crashes can also help maintain availability. [1]