A high-severity vulnerability has been identified in multiple products utilizing the OpenSSL library for the CoAP protocol. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted digital certificate to a vulnerable system, causing the service to crash. This results in a denial of service (DoS), making critical services unavailable to legitimate users.

This vulnerability is a NULL pointer dereference that occurs within the get_san_or_cn_from_cert() function of the src/coap_openssl component. The flaw is triggered when the function processes a specially crafted X.509 certificate that is missing certain expected fields, such as a Subject Alternative Name (SAN) or Common Name (CN). An unauthenticated remote attacker can present such a certificate during a DTLS handshake, causing the function to attempt to read from a NULL memory address, which immediately terminates the running process and results in a denial-of-service condition.

This vulnerability is rated as High severity with a CVSS score of 7.5. The primary business impact is a denial of service, which can lead to the unavailability of essential services that rely on the affected CoAP-based systems. For organizations utilizing these products in IoT, industrial control systems (ICS), or other critical infrastructure, successful exploitation could cause significant operational disruption, violate service level agreements (SLAs), and result in financial and reputational damage. The ease of exploitation (requiring only a malicious certificate sent over the network) increases the risk of targeted attacks aimed at disrupting business operations.

Immediate Action: Organizations must identify all affected products within their environment and apply the security updates released by the respective vendors immediately. In parallel, security teams should begin monitoring for signs of exploitation attempts and closely review system and application logs for anomalous certificate-related activities or unexpected service crashes.

Proactive Monitoring: Monitor application and system event logs for crash events or unexpected restarts of services that utilize the coap_openssl library. Security teams should look for log entries related to certificate validation errors or the processing of malformed certificates that occur immediately before a service failure. Network monitoring should be configured to alert on unusual patterns of DTLS handshake failures or repeated connection attempts from unknown IP addresses.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Network Segmentation: Restrict network access to affected services, allowing connections only from trusted hosts and networks to limit the attack surface.
• Access Control Lists (ACLs): Use firewalls or other network devices to block traffic from untrusted sources to the ports used by the vulnerable CoAP services.
• Intrusion Prevention System (IPS): Deploy an IPS with signatures capable of detecting and blocking traffic containing malformed certificates, if such signatures become available.

Public Exploit Available: false

Given the high severity (CVSS 7.5) of this vulnerability and its potential to cause significant service disruption, we recommend that organizations prioritize the immediate patching of all affected systems. A thorough asset inventory should be conducted to identify all products that utilize the affected coap_openssl library. While this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high impact score warrants urgent attention. Organizations should apply vendor-supplied updates without delay and implement the recommended monitoring and compensating controls to mitigate risk until patching is complete.