CVE-2020-11805
📋 TL;DR
CVE-2020-11805 is an incorrect UDP access control vulnerability in Pexip Reverse Proxy and TURN Server that allows unauthorized users to relay traffic through the TURN server. This affects organizations using Pexip's video conferencing infrastructure before version 6.1.0, potentially enabling attackers to bypass network security controls.
💻 Affected Systems
- Pexip Reverse Proxy
- Pexip TURN Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use the vulnerable TURN server as an open proxy to launch attacks against internal systems, bypass firewall rules, and exfiltrate data while appearing to originate from the Pexip server.
Likely Case
Unauthorized external actors could relay malicious traffic through the TURN server to target internal systems, potentially enabling lateral movement within the network.
If Mitigated
With proper network segmentation and access controls, the impact is limited to potential resource exhaustion of the TURN server.
🎯 Exploit Status
Exploitation requires network access to the TURN server but no authentication, making it relatively simple to abuse.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.0 and later
Vendor Advisory: https://docs.pexip.com/admin/security_bulletins.htm
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Upgrade to Pexip version 6.1.0 or later. 3. Restart Pexip services. 4. Verify TURN server functionality.
🔧 Temporary Workarounds
Network Isolation
linuxRestrict network access to TURN server ports (typically UDP 3478 and 5349) to trusted sources only.
iptables -A INPUT -p udp --dport 3478 -s trusted_network -j ACCEPT
iptables -A INPUT -p udp --dport 3478 -j DROP
iptables -A INPUT -p udp --dport 5349 -s trusted_network -j ACCEPT
iptables -A INPUT -p udp --dport 5349 -j DROP
Disable TURN Server
linuxTemporarily disable TURN server functionality if not required for operations.
pexipctl turn disable
🧯 If You Can't Patch
- Implement strict network access controls to limit TURN server access to authorized clients only.
- Monitor TURN server logs for unusual relay activity and implement rate limiting.
🔍 How to Verify
Check if Vulnerable:
Check Pexip version: if version is below 6.1.0 and TURN server is enabled, the system is vulnerable.Check Version:
pexip --versionVerify Fix Applied:
Verify version is 6.1.0 or higher and test TURN server functionality with authorized clients only.📡 Detection & Monitoring
Log Indicators:
- Unusual TURN allocation requests from unexpected IP addresses
- High volume of TURN relay traffic from single sources
Network Indicators:
- UDP traffic on port 3478/5349 from external IPs to internal networks
- TURN server acting as relay for non-video conferencing traffic
SIEM Query:
source="pexip_turn.log" AND (event="allocation" OR event="relay") AND NOT src_ip IN (trusted_ips)