CVE-2025-59391
📋 TL;DR
A memory disclosure vulnerability in libcoap's OSCORE configuration parser allows attackers to read memory beyond string boundaries in the .rodata section. This could lead to information disclosure or denial of service. Affected systems are those using libcoap before version 4.3.5-patches.
💻 Affected Systems
- libcoap
📦 What is this software?
Libcoap by Libcoap
⚠️ Risk & Real-World Impact
Worst Case
Sensitive information disclosure from memory, potentially including cryptographic keys or other secrets, leading to complete system compromise.
Likely Case
Information disclosure of adjacent memory contents, potentially revealing configuration details or other non-critical data.
If Mitigated
Minimal impact with proper network segmentation and access controls limiting exposure to untrusted inputs.
🎯 Exploit Status
Exploitation requires sending specially crafted configuration values to trigger the out-of-bounds read.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.3.5a or release-4.3.5-patches
Vendor Advisory: https://github.com/obgm/libcoap/releases/tag/v4.3.5a
Restart Required: Yes
Instructions:
1. Download libcoap v4.3.5a or later from GitHub. 2. Replace existing libcoap installation with patched version. 3. Recompile any applications using libcoap. 4. Restart affected services.
🔧 Temporary Workarounds
Disable OSCORE Configuration Parsing
allDisable or restrict OSCORE configuration functionality if not required.
# Configure application to disable OSCORE parsing if possible
Network Segmentation
linuxRestrict network access to services using libcoap to trusted sources only.
# Use firewall rules to limit access: iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_IP] -j ACCEPT
# iptables -A INPUT -p tcp --dport [PORT] -j DROP
🧯 If You Can't Patch
- Implement strict input validation for OSCORE configuration values.
- Monitor for unusual memory access patterns or crashes in libcoap services.
🔍 How to Verify
Check if Vulnerable:
Check libcoap version: dpkg -l | grep libcoap or rpm -qa | grep libcoap. If version is earlier than 4.3.5-patches, system is vulnerable.Check Version:
libcoap-config --version 2>/dev/null || pkg-config --modversion libcoap 2>/dev/null || echo "Check package manager"Verify Fix Applied:
Verify libcoap version is 4.3.5a or later after patching.📡 Detection & Monitoring
Log Indicators:
- Application crashes or segmentation faults in libcoap processes
- Unusual memory access patterns in system logs
Network Indicators:
- Unusual OSCORE configuration packets sent to libcoap services
- Traffic patterns indicating memory probing
SIEM Query:
source="*libcoap*" AND (event_type="crash" OR event_type="segfault")