Executive Summary

This vulnerability is a null pointer dereference in the libcoap library version 4.3.5, specifically in the function coap_dtls_info_callback(). It occurs because the return value of OpenSSL's SSL_get_app_data() function is not checked for NULL before being dereferenced. When SSL_get_app_data() returns NULL, libcoap attempts to access data through this null pointer, causing a segmentation fault and crashing the application. [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service by crashing applications that use libcoap 4.3.5 during a DTLS handshake. Remote attackers can exploit this by triggering the null pointer dereference, leading to application crashes and service interruptions. [2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or segmentation faults in applications using libcoap 4.3.5, especially those handling DTLS handshakes. Specifically, look for null pointer dereference errors or AddressSanitizer reports indicating read access to zero page addresses in the function coap_dtls_info_callback(). Since the issue occurs during DTLS handshake processing, capturing and analyzing DTLS handshake traffic for anomalies or repeated crashes may help. However, no specific detection commands are provided in the available resources. [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves updating libcoap to a version that includes proper null checks on the return value of SSL_get_app_data(), as the vulnerability is caused by missing validation leading to null pointer dereference. Applying patches that add comprehensive validation of OpenSSL API return values, such as those described in the fix for related issues (e.g., pull request #1750), will prevent the denial of service. If updating is not immediately possible, consider disabling DTLS support or restricting access to services using libcoap DTLS until a patched version is deployed. [1, 2]

Useful 0 Not Useful 0