OISM libcoap NULL Pointer Dereference Vulnerability in DTLS Handshake

A NULL pointer dereference vulnerability has been identified in OISM libcoap version 4.3.5. This issue arises in the function coap_dtls_generate_cookie() within the file src/coap_openssl.c. The vulnerability allows remote attackers to cause a denial-of-service condition by crafting a DTLS handshake that causes the function SSL_get_SSL_CTX() to return NULL. The improper handling of this NULL return value during certificate validation leads to the dereference, causing a segmentation fault.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a denial-of-service condition by crashing the application.

Reproduction

The vulnerability can be reproduced by sending a crafted DTLS handshake that triggers the NULL return value from SSL_get_SSL_CTX(). This can be done using the libcoap client example, which demonstrates the issue by initiating a DTLS connection with a malformed handshake that the library fails to process correctly, due to the missing return value checks.

Remediation

Users can update to the latest version of OISM libcoap, where this vulnerability has been addressed. Instructions for updating can be found in the libcoap documentation.