CVE-2025-65493
📋 TL;DR
A NULL pointer dereference vulnerability in OISM libcoap 4.3.5 allows remote attackers to cause denial of service via crafted DTLS/TLS connections. This affects systems using vulnerable libcoap versions for CoAP protocol communication. The vulnerability triggers when BIO_get_data() returns NULL, leading to application crashes.
💻 Affected Systems
- OISM libcoap
📦 What is this software?
Libcoap by Libcoap
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of CoAP-enabled applications, potentially affecting IoT devices, industrial control systems, or network infrastructure relying on libcoap for communication.
Likely Case
Service crashes and restarts of applications using libcoap, causing temporary unavailability of CoAP services until processes restart.
If Mitigated
Minimal impact with proper network segmentation and monitoring; crashes would be logged and services could auto-restart.
🎯 Exploit Status
Exploitation requires sending specially crafted DTLS/TLS packets to vulnerable endpoints. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in libcoap 4.3.6 and later
Vendor Advisory: https://github.com/obgm/libcoap/issues/1743
Restart Required: Yes
Instructions:
1. Update libcoap to version 4.3.6 or later. 2. Recompile applications using libcoap. 3. Restart affected services.
🔧 Temporary Workarounds
Disable DTLS/TLS support
allTemporarily disable DTLS/TLS encryption in libcoap configuration
Recompile libcoap with --disable-dtls flag
Configure applications to use plain CoAP only
Network filtering
linuxBlock DTLS/TLS traffic to CoAP services at network perimeter
iptables -A INPUT -p udp --dport 5684 -j DROP # DTLS CoAP
iptables -A INPUT -p udp --dport 5683 -j DROP # Plain CoAP if needed
🧯 If You Can't Patch
- Implement network segmentation to isolate CoAP services from untrusted networks
- Deploy rate limiting and connection monitoring to detect and block malicious DTLS/TLS connections
🔍 How to Verify
Check if Vulnerable:
Check libcoap version: dpkg -l | grep libcoap or rpm -qa | grep libcoap. If version is 4.3.5 and DTLS is enabled, system is vulnerable.Check Version:
coap-client --version 2>/dev/null | head -1 || pkg-config --modversion libcoap-1Verify Fix Applied:
Verify libcoap version is 4.3.6 or later and test DTLS/TLS connections to CoAP services remain stable.📡 Detection & Monitoring
Log Indicators:
- Application crashes with segmentation faults
- Unexpected process terminations of CoAP services
- Error logs mentioning BIO_get_data or coap_openssl.c
Network Indicators:
- Unusual DTLS/TLS connection patterns to CoAP ports (5684/udp)
- Malformed DTLS handshake packets
SIEM Query:
source="*coap*" AND ("segmentation fault" OR "SIGSEGV" OR "null pointer")