Tags › Coturn
Introducing DVRTC: a vulnerable lab for RTC security
Published on Mar 27, 2026 in webrtc security, voip security, training, sip security, kamailio, asterisk, coturn, rtpengine, demo server, TURN security, DVRTC
We’re releasing DVRTC (Damn Vulnerable Real-Time Communications), an intentionally vulnerable VoIP/WebRTC lab environment for security training and research. It comes with 7 hands-on exercises covering 12 attack paths, a live deployment at pbx1.dvrtc.net, and everything you need to start practicing RTC security testing.…
Securing coturn: Configuration Guide
Published on Feb 25, 2026 in TURN security, coturn, server hardening, webrtc security
The coturn-specific companion to our TURN Server Security Best Practices guide. Copy-paste configuration blocks for access control, protocol hardening, rate limiting, and authentication, with three complete templates from minimal to high-security.…
coturn: access control bypass via loopback peer address
Published on Jan 11, 2021 in CVE-2020-26262, coturn, access control, security advisory
- Fixed version: 4.5.2
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2021-01-coturn-access-control-bypass/
- Coturn Security Advisory: https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p
- Other references:
- Tested vulnerable versions: 4.5.1.x
- Timeline:
- Report date: 2020-11-20
- Issue confirmed by coturn developers: 2020-11-23
- Security patch provided by Enable Security: 2020-11-30
- Refactoring by coturn developers: 2020-12-07 to 2020-12-10
- Joint Enable Security and Coturn project advisory publication: 2021-01-11
Description
By default coturn does not allow peers to connect and relay packets to loopback addresses in the range of 127.x.x.x. However, it was observed that when sending a CONNECT request with the XOR-PEER-ADDRESS value of 0.0.0.0, a successful response was received and subsequently, CONNECTIONBIND also received a successful response. Coturn then was able to relay packets to local network services.