CVE-2020-26262

Published: 11 January 2021

By default coturn does not allow peers to connect and relay packets to loopback addresses in the range of `127.x.x.x`. However, it was observed that when sending a `CONNECT` request with the `XOR-PEER-ADDRESS` value of `0.0.0.0`, a successful response was received and subsequently, `CONNECTIONBIND` also received a successful response. Coturn then is able to relay packets to the loopback interface. Additionally, when coturn is listening on IPv6, which is default, the loopback interface can also be reached by making use of either `[::1]` or `[::]` as the peer address.

Priority

Medium

Status

Package Release Status
coturn
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo)
Released (4.5.1.3-1ubuntu1)
Ubuntu 20.10 (Groovy Gorilla)
Released (4.5.1.3-1ubuntu0.1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (4.5.1.1-1.1ubuntu0.20.04.2)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.5.0.7-1ubuntu2.18.04.3)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (4.5.0.3-1ubuntu0.4)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist