Attackers can bypass CoTURN servers’ default access control rules and access network services behind the firewall, security researchers have discovered.
One researcher speculated that, under certain circumstances, an attacker could go on to achieve remote code execution (RCE) (although he emphasized that the documented vulnerability was not itself an RCE flaw).
Berlin-based Enable Security has urged organizations that use the open source servers, which power VoIP platforms, to apply their configuration advice as well as the latest software update.
CoTURN “is used in almost all WebRTC and VoIP systems” worldwide, because it is fast, effective, and “the most full-featured STUN/TURN implementation AFAIK”, Mihály Mészáros, the project’s maintainer, told The Daily Swig.
Akin to a proxy server, a TURN (Traversal Using Relays around NAT) server permits the relaying of TCP connections and UDP packets to other peers.
Bypassing the block
The specter of attackers abusing TURN servers to connect to local services prompted CoTURN maintainers to, in 2018, block by default connections to loopback IP addresses 127.0.0.1 on IPv4 and [::1] on IPv6.
However, security researchers bypassed the IPv4 block (as demonstrated in the video below) after discovering that “the same effect could be achieved by specifying 0.0.0.0 as IP instead of 127.0.0.1” – on Linux systems and “possibly other operating systems” too, a technical blog post explains.
The IPv6 block turned out to be flawed too. “Strangely we could still specify [::1] as peer address and get connected to local services without getting the standard 403, Forbidden IP response,” reads the blog post. There was also “no code to protect against [::]”.
Worst-case scenario
The havoc a successful attacker could wreak “greatly depends on what is on the loopback interface”, Sandro Gauci, CEO and founder of Enable Security, told The Daily Swig.
“A worst-case scenario would be a network service that does not require authentication (because the loopback interface is often considered to be a trusted network) and allows remote code execution.”
He added: “If you have the tools, it is not difficult at all to exploit this vulnerability.”
“Fortunately, when researchers probed applicable bug bounty programs only one environment permitted “connections to localhost and only on UDP”.
This suggests, the researchers believe, that many organizations have implemented recommendations accompanying Enable Security’s June 2020 research documenting the vulnerability’s presence at several WebRTC-based service providers, and their April 2020 disclosure of a configuration flaw in Slack’s TURN servers.
Remediation, mitigation, configuration
CoTURN maintainers were alerted to the bypass on November 20. The flaw (CVE-2020-26262) affected CoTURN version 4.5.1.3 and was addressed in version 4.5.2, which landed on January 11.
Enable Security provided the fixes, which blocked 0.0.0.0/8 and [::] by default and correctly parsed the IPv6 loopback address [::1], at the request of CoTURN’s Mészáros.
In addition to applying the update, the researchers recommend using “denied-peer-ip to block special purpose addresses”, or even deploying “TURN servers on an isolated environment” with “no special access to internal systems”.
Organizations unable to immediately apply the latest update are advised in the meantime to “set the -L flag or listening-ip configuration with the value of an IPv4 address” (albeit this will prevent relaying of IPv6 traffic too).
CoTURN clarion call
Sandro Gauci said Mészáros Mihály had been “very receptive and helpful”, while Mihály expressed gratitude for Enable Security’s professionalism and patch proposals, and other
security teams’ help with the fix rollout and various other issues.
Mészáros, who said he didn’t have time to fix the problems himself, implored organizations that depend on CoTURN to get in touch via GitHub and help him and project author Oleg Moskalenko maintain the project.