Tags › CVE-2020-26262

coturn: access control bypass via loopback peer address

• Fixed version: 4.5.2
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2021-01-coturn-access-control-bypass/
• Coturn Security Advisory: https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p
• Other references:
  • CVE-2020-26262
  • https://www.rtcsec.com/post/2021/01/details-about-cve-2020-26262-bypass-of-coturns-default-access-control-protection/
• Tested vulnerable versions: 4.5.1.x
• Timeline:
  • Report date: 2020-11-20
  • Issue confirmed by coturn developers: 2020-11-23
  • Security patch provided by Enable Security: 2020-11-30
  • Refactoring by coturn developers: 2020-12-07 to 2020-12-10
  • Joint Enable Security and Coturn project advisory publication: 2021-01-11

Description

By default coturn does not allow peers to connect and relay packets to loopback addresses in the range of 127.x.x.x. However, it was observed that when sending a CONNECT request with the XOR-PEER-ADDRESS value of 0.0.0.0, a successful response was received and subsequently, CONNECTIONBIND also received a successful response. Coturn then was able to relay packets to local network services.