Tags › Coturn

coturn: access control bypass via loopback peer address

Published on Jan 11, 2021 in CVE-2020-26262, coturn, access control, security advisory

Fixed version: 4.5.2
Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2021-01-coturn-access-control-bypass/
Coturn Security Advisory: https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p
Other references:
- CVE-2020-26262
- https://www.rtcsec.com/post/2021/01/details-about-cve-2020-26262-bypass-of-coturns-default-access-control-protection/
Tested vulnerable versions: 4.5.1.x
Timeline:
- Report date: 2020-11-20
- Issue confirmed by coturn developers: 2020-11-23
- Security patch provided by Enable Security: 2020-11-30
- Refactoring by coturn developers: 2020-12-07 to 2020-12-10
- Joint Enable Security and Coturn project advisory publication: 2021-01-11

Description

By default coturn does not allow peers to connect and relay packets to loopback addresses in the range of 127.x.x.x. However, it was observed that when sending a CONNECT request with the XOR-PEER-ADDRESS value of 0.0.0.0, a successful response was received and subsequently, CONNECTIONBIND also received a successful response. Coturn then was able to relay packets to local network services.

…

Tags › Coturn

coturn: access control bypass via loopback peer address

Description

Subscribe