---

CVE-2020-26262 - log back

CVE-2020-26262 edited at 11 Jan 2021 11:54:36
Severity	- Unknown + High
Remote	- Unknown + Remote
Type	- Unknown + Insufficient validation
Description	+ A security issue was found in coturn before version 4.5.2. By default coturn does not allow peers to connect and relay packets to loopback addresses in the range of 127.x.x.x. However, it was observed that when sending a CONNECT request with the XOR-PEER-ADDRESS value of 0.0.0.0, a successful response was received and subsequently, CONNECTIONBIND also received a successful response. Coturn then is able to relay packets to the loopback interface. Additionally, when coturn is listening on IPv6, which is default, the loopback interface can also be reached by making use of either [::1] or [::] as the peer address.
References	+ https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p + https://github.com/coturn/coturn/commit/ff5e5478a3e1b426bad053828099403cfc5c1f5f + https://github.com/coturn/coturn/commit/af50d63a152cd9505d38f02bc552848748805e7b + https://github.com/coturn/coturn/commit/6c774b9fb8d9d76576ece10a6429172ed3800466 + https://github.com/coturn/coturn/commit/560684c894498285f9e4271f3c924ebf01f36307 + https://github.com/coturn/coturn/commit/649cbf966181846ecdd7847e4543dd287a78d295 + https://github.com/coturn/coturn/commit/9c7deff4b8ed8c323c87b9ede75481bd6bc3154d + https://github.com/coturn/coturn/commit/dd0ffdb51a4cddaf1d6662079fa91f6f32bd26a8 + https://github.com/coturn/coturn/commit/d84028b6dbc9eb7d3f8828ec37ae02a0963257b6
Notes	+ Workaround + ========== + + The issue can be mitigated by disabling the address block 0.0.0.0/8, [::1] and [::] using the denied-peer-ip setting.

CVE-2020-26262 created at 11 Jan 2021 11:37:43