Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

VoIP vulnerability: CoTURN patches access control protection bypass

Attackers can bypass CoTURN servers’ default access control rules and access network services behind the firewall, security researchers have discovered.

One researcher speculated that, under certain circumstances, an attacker could go on to achieve remote code execution (RCE) (although he emphasized that the documented vulnerability was not itself an RCE flaw).

Berlin-based Enable Security has urged organizations that use the open source servers, which power VoIP platforms, to apply their configuration advice as well as the latest software update.

CoTURN “is used in almost all WebRTC and VoIP systems” worldwide, because it is fast, effective, and “the most full-featured STUN/TURN implementation AFAIK”, Mihály Mészáros, the project’s maintainer, told The Daily Swig.

Akin to a proxy server, a TURN (Traversal Using Relays around NAT) server permits the relaying of TCP connections and UDP packets to other peers.

Bypassing the block

The specter of attackers abusing TURN servers to connect to local services prompted CoTURN maintainers to, in 2018, block by default connections to loopback IP addresses 127.0.0.1 on IPv4 and [::1] on IPv6.

However, security researchers bypassed the IPv4 block (as demonstrated in the video below) after discovering that “the same effect could be achieved by specifying 0.0.0.0 as IP instead of 127.0.0.1” – on Linux systems and “possibly other operating systems” too, a technical blog post explains.

The IPv6 block turned out to be flawed too. “Strangely we could still specify [::1] as peer address and get connected to local services without getting the standard 403, Forbidden IP response,” reads the blog post. There was also “no code to protect against [::]”.

Worst-case scenario

The havoc a successful attacker could wreak “greatly depends on what is on the loopback interface”, Sandro Gauci, CEO and founder of Enable Security, told The Daily Swig.

“A worst-case scenario would be a network service that does not require authentication (because the loopback interface is often considered to be a trusted network) and allows remote code execution.”

He added: “If you have the tools, it is not difficult at all to exploit this vulnerability.”

“Fortunately, when researchers probed applicable bug bounty programs only one environment permitted “connections to localhost and only on UDP”.

This suggests, the researchers believe, that many organizations have implemented recommendations accompanying Enable Security’s June 2020 research documenting the vulnerability’s presence at several WebRTC-based service providers, and their April 2020 disclosure of a configuration flaw in Slack’s TURN servers.

Remediation, mitigation, configuration

CoTURN maintainers were alerted to the bypass on November 20. The flaw (CVE-2020-26262) affected CoTURN version 4.5.1.3 and was addressed in version 4.5.2, which landed on January 11.

Enable Security provided the fixes, which blocked 0.0.0.0/8 and [::] by default and correctly parsed the IPv6 loopback address [::1], at the request of CoTURN’s Mészáros.

Advertisement. Scroll to continue reading.

In addition to applying the update, the researchers recommend using “denied-peer-ip to block special purpose addresses”, or even deploying “TURN servers on an isolated environment” with “no special access to internal systems”.

Organizations unable to immediately apply the latest update are advised in the meantime to “set the -L flag or listening-ip configuration with the value of an IPv4 address” (albeit this will prevent relaying of IPv6 traffic too).

CoTURN clarion call

Sandro Gauci said Mészáros Mihály had been “very receptive and helpful”, while Mihály expressed gratitude for Enable Security’s professionalism and patch proposals, and other

security teams’ help with the fix rollout and various other issues.

Mészáros, who said he didn’t have time to fix the problems himself, implored organizations that depend on CoTURN to get in touch via GitHub and help him and project author Oleg Moskalenko maintain the project.

Source: https://portswigger.net/daily-swig/voip-vulnerability-coturn-patches-access-control-protection-bypass

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Zero Trust Data Access (ZTDA) constitutes a fundamental aspect of the wider Zero Trust security framework, which entails limiting data access. The Zero Trust security approach...

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO