| Vulnerability Name: | CVE-2020-26262 (CCN-194528) | ||||||||||||
| Assigned: | 2020-10-01 | ||||||||||||
| Published: | 2021-01-11 | ||||||||||||
| Updated: | 2022-01-01 | ||||||||||||
| Summary: | Coturn is free open source implementation of TURN and STUN Server. Coturn before version 4.5.2 by default does not allow peers to connect and relay packets to loopback addresses in the range of `127.x.x.x`. However, it was observed that when sending a `CONNECT` request with the `XOR-PEER-ADDRESS` value of `0.0.0.0`, a successful response was received and subsequently, `CONNECTIONBIND` also received a successful response. Coturn then is able to relay packets to the loopback interface. Additionally, when coturn is listening on IPv6, which is default, the loopback interface can also be reached by making use of either `[::1]` or `[::]` as the peer address. By using the address `0.0.0.0` as the peer address, a malicious user will be able to relay packets to the loopback interface, unless `--denied-peer-ip=0.0.0.0` (or similar) has been specified. Since the default configuration implies that loopback peers are not allowed, coturn administrators may choose to not set the `denied-peer-ip` setting. The issue patched in version 4.5.2. As a workaround the addresses in the address block `0.0.0.0/8`, `[::1]` and `[::]` should be denied by default unless `--allow-loopback-peers` has been specified. | ||||||||||||
| CVSS v3 Severity: | 7.2 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) 6.3 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)
6.3 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-682 CWE-441 | ||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2020-26262 Source: XF Type: UNKNOWN coturn-cve202026262-sec-bypass(194528) Source: MISC Type: Release Notes, Third Party Advisory https://github.com/coturn/coturn/blob/57180ab60afcaeb13537e69ae8cb8aefd8f3f546/ChangeLog#L48 Source: MISC Type: Patch, Third Party Advisory https://github.com/coturn/coturn/commit/abfe1fd08d78baa0947d17dac0f7411c3d948e4d Source: CCN Type: Coturn GIT Repository Loopback bypass by using 0.0.0.0, [::1] or [::] as the peer address Source: CONFIRM Type: Exploit, Third Party Advisory https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-dee141fc61 Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-32d0068851 Source: CCN Type: Packet Storm Security [01-11-2021] Coturn 4.5.1.x Access Control Bypass Source: CCN Type: oss-sec Mailing List, Mon, 11 Jan 2021 15:10:13 +0100 Advisory: ES2021-01 - Loopback access control bypass in coturn by using 0.0.0.0, [::1] or [::] as the peer address | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| Oval Definitions | |||||||||||||
| |||||||||||||
| BACK | |||||||||||||