CVE-2018-4056 – This vulnerability allows attackers to bypass a... (How to Fix)

Q: What is the severity of CVE-2018-4056?

CVE-2018-4056 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to bypass authentication on coTURN servers via SQL injection in the administrator web portal login. By sending a specially crafted username, attackers can gain unauthorized access to the TURN server's admin interface. It affects coTURN servers prior to version 4.5.0.9 that have the administrator web portal enabled.

📋 TL;DR

This vulnerability allows attackers to bypass authentication on coTURN servers via SQL injection in the administrator web portal login. By sending a specially crafted username, attackers can gain unauthorized access to the TURN server's admin interface. It affects coTURN servers prior to version 4.5.0.9 that have the administrator web portal enabled.

💻 Affected Systems

Products:

coTURN

Versions: Versions prior to 4.5.0.9

Operating Systems: Linux, Windows, macOS, others where coTURN is installed

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires the administrator web portal to be enabled; default configurations may include this feature.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative control over the TURN server, potentially allowing them to manipulate TURN services, intercept or redirect traffic, and compromise network security.

🟠

Likely Case

Authentication bypass leading to unauthorized access to the admin portal, enabling configuration changes or data exposure.

🟢

If Mitigated

Limited impact if the admin portal is disabled or network access is restricted, but SQL injection could still pose risks if other mitigations fail.

🌐 Internet-Facing: HIGH, as the vulnerability can be exploited via the external interface, making publicly accessible servers particularly vulnerable.

🏢 Internal Only: MEDIUM, as internal attackers could exploit it if they have network access, but external exposure increases severity.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation involves crafting SQL injection in the login request; public details and PoCs are available, making it relatively easy for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.0.9 and later

Vendor Advisory: https://github.com/coturn/coturn/releases

Restart Required: Yes

Instructions:

1. Download and install coTURN version 4.5.0.9 or newer from the official repository. 2. Stop the coTURN service. 3. Apply the update. 4. Restart the coTURN service to apply changes.

🔧 Temporary Workarounds

Disable Administrator Web Portal

all

Turn off the vulnerable admin portal feature to prevent exploitation.

Edit coTURN configuration file (e.g., turnserver.conf) and set 'no-stun' or disable web admin options; restart service.

Restrict Network Access

linux

Limit access to the admin portal using firewall rules to trusted IPs only.

Use iptables or similar to block external access to the admin port (default 3478 or web admin port).

🧯 If You Can't Patch

Implement strict input validation and sanitization for login fields to block SQL injection attempts.
Use a web application firewall (WAF) to filter malicious SQL injection payloads targeting the admin portal.

🔍 How to Verify

Check if Vulnerable:

Check the coTURN version; if it's below 4.5.0.9 and the admin portal is enabled, it is vulnerable. Review logs for SQL error messages or unauthorized login attempts.

Check Version:

turnserver --version or check the service output/configuration files for version info.

Verify Fix Applied:

Confirm the installed version is 4.5.0.9 or higher and test the admin portal login with safe inputs to ensure no SQL injection occurs.

📡 Detection & Monitoring

Log Indicators:

SQL syntax errors in web server logs, unusual login attempts with special characters in usernames, failed authentication events from unexpected sources.

Network Indicators:

Unusual traffic patterns to the admin portal port, SQL injection payloads in HTTP requests.

SIEM Query:

Example: 'source="coturn.log" AND ("SQL" OR "syntax" OR "injection")' to detect exploitation attempts.

📊 Metadata

CVE ID: CVE-2018-4056

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 5, 2019

Last Updated: November 21, 2024

🔗 References

https://lists.debian.org/debian-lts-announce/2019/02/msg00017.html Mailing List,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0730 Exploit,Third Party Advisory
https://www.debian.org/security/2019/dsa-4373 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/02/msg00017.html Mailing List,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0730 Exploit,Third Party Advisory
https://www.debian.org/security/2019/dsa-4373 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-4056, you might also want to check these: