VDB

CVE-2020-26262

CVE-2020-26262 PUBLISHED

Coturn is free open source implementation of TURN and STUN Server. Coturn before version 4.5.2 by default does not allow peers to connect and relay packets to loopback addresses in the range of `127.x.x.x`. However, it was observed that when sending a `CONNECT` request with the `XOR-PEER-ADDRESS` value of `0.0.0.0`, a successful response was received and subsequently, `CONNECTIONBIND` also received a successful response. Coturn then is able to relay packets to the loopback interface. Additionally, when coturn is listening on IPv6, which is default, the loopback interface can also be reached by making use of either `[::1]` or `[::]` as the peer address. By using the address `0.0.0.0` as the peer address, a malicious user will be able to relay packets to the loopback interface, unless `--denied-peer-ip=0.0.0.0` (or similar) has been specified. Since the default configuration implies that loopback peers are not allowed, coturn administrators may choose to not set the `denied-peer-ip` setting. The issue patched in version 4.5.2. As a workaround the addresses in the address block `0.0.0.0/8`, `[::1]` and `[::]` should be denied by default unless `--allow-loopback-peers` has been specified.

EPSS 0.27% · 50.3th percentile

Risk Scores

EPSS Score
0.27%
50.3th percentile

Affected Products

VendorProductVersions
Ubuntu:18.04:LTScoturn0, 4.5.0.6-1ubuntu2, 4.5.0.7-1ubuntu1
Ubuntu:20.04:LTScoturn0, 4.5.1.1-1.1build2, 4.5.1.1-1.1build1
Ubuntu:16.04:LTScoturn4.5.0.3-1, 4.4.5.4-2, 4.5.0.2-3

Timeline

  • Jan 11, 2021 CVE Published
  • Jan 11, 2021 PoC Published
  • Jan 18, 2021 PoC Published
  • Apr 14, 2021 EPSS Score
  • Jun 22, 2021 EPSS Score
  • Aug 24, 2021 EPSS Score
  • Dec 27, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Feb 27, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • May 1, 2022 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›