OISM libcoap NULL Pointer Dereference Vulnerability in DTLS Handshake
Vulnerability
A NULL pointer dereference vulnerability has been identified in OISM libcoap version 4.3.5. This issue arises in the coap_dtls_generate_cookie() function within the coap_openssl.c file. The vulnerability allows remote attackers to cause a denial-of-service condition by crafting a DTLS handshake that causes the SSL_get_SSL_CTX() function to return NULL. The problem stems from improper handling of OpenSSL's sk_GENERAL_NAME_value() return values during certificate validation, leading libcoap to access a NULL pointer incorrectly.
Impact
Exploitation of this vulnerability causes a segmentation fault, leading to a denial-of-service condition.
Reproduction
The vulnerability can be reproduced by sending a crafted DTLS handshake that triggers the NULL return value from SSL_get_SSL_CTX(). This can be done using the libcoap client example, which demonstrates the issue by initiating a DTLS connection with a malformed handshake that the library fails to process correctly, due to the missing return value check.
Remediation
Users can update to the latest version of OISM libcoap, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.