CVE-2020-26262 – CVE-2020-26262 is a vulnerability in Coturn TUR... (How to Fix)

Q: What is the severity of CVE-2020-26262?

CVE-2020-26262 has a CVSS score of 7.2 (HIGH). CVE-2020-26262 is a vulnerability in Coturn TURN/STUN servers that allows attackers to bypass loopback address restrictions and relay packets to the local loopback interface. This affects Coturn servers with default configurations, potentially enabling attackers to access services bound to localhost that should be inaccessible from external networks.

📋 TL;DR

CVE-2020-26262 is a vulnerability in Coturn TURN/STUN servers that allows attackers to bypass loopback address restrictions and relay packets to the local loopback interface. This affects Coturn servers with default configurations, potentially enabling attackers to access services bound to localhost that should be inaccessible from external networks.

💻 Affected Systems

Products:

coturn

Versions: All versions before 4.5.2

Operating Systems: All platforms running Coturn

Default Config Vulnerable: ⚠️ Yes

Notes: Default configuration does not deny 0.0.0.0/8, ::1, or :: addresses unless explicitly configured. IPv6 listening (default) increases attack surface.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could relay traffic to sensitive services listening only on localhost (like databases, admin interfaces, or internal APIs), potentially leading to data theft, privilege escalation, or service disruption.

🟠

Likely Case

Unauthorized access to internal services that administrators assumed were protected by loopback restrictions, potentially exposing configuration data or enabling lateral movement.

🟢

If Mitigated

If loopback peers are explicitly denied or proper network segmentation exists, impact is limited to potential information disclosure about internal network structure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted CONNECT requests with XOR-PEER-ADDRESS set to 0.0.0.0, ::1, or ::. Public advisories include technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.2

Vendor Advisory: https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p

Restart Required: Yes

Instructions:

1. Download Coturn 4.5.2 or later from official repository. 2. Stop Coturn service. 3. Install/upgrade to patched version. 4. Restart Coturn service. 5. Verify version with 'turnserver -v'.

🔧 Temporary Workarounds

Deny loopback and unspecified addresses

all

Explicitly deny 0.0.0.0/8, ::1, and :: addresses in Coturn configuration

Add to turnserver.conf: denied-peer-ip=0.0.0.0/8
Add to turnserver.conf: denied-peer-ip=::1
Add to turnserver.conf: denied-peer-ip=::

🧯 If You Can't Patch

Implement network-level controls to restrict access to Coturn servers from untrusted networks
Monitor for suspicious CONNECT requests with 0.0.0.0, ::1, or :: peer addresses

🔍 How to Verify

Check if Vulnerable:

Check Coturn version with 'turnserver -v' or examine running process. Versions below 4.5.2 are vulnerable.

Check Version:

turnserver -v

Verify Fix Applied:

Confirm version is 4.5.2 or higher and check configuration includes denied-peer-ip settings for 0.0.0.0/8, ::1, and ::.

📡 Detection & Monitoring

Log Indicators:

CONNECT requests with XOR-PEER-ADDRESS containing 0.0.0.0, ::1, or ::
Successful CONNECTIONBIND responses following such CONNECT requests

Network Indicators:

Unusual TURN relay traffic to loopback addresses
External IPs attempting to establish relays to 127.x.x.x ranges

SIEM Query:

source="coturn.log" AND ("XOR-PEER-ADDRESS=0.0.0.0" OR "XOR-PEER-ADDRESS=::1" OR "XOR-PEER-ADDRESS=::")

📊 Metadata

CVE ID: CVE-2020-26262

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-441

Published: January 13, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/coturn/coturn/blob/57180ab60afcaeb13537e69ae8cb8aefd8f3f546/ChangeLog#L48 Release Notes,Third Party Advisory
https://github.com/coturn/coturn/commit/abfe1fd08d78baa0947d17dac0f7411c3d948e4d Patch,Third Party Advisory
https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p Exploit,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G54UIUFTEC6RLPOISMB6FUW7456SBZC4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4CJOPAQT43MYAFU3UROGLEXN3Z6RS4H/
https://github.com/coturn/coturn/blob/57180ab60afcaeb13537e69ae8cb8aefd8f3f546/ChangeLog#L48 Release Notes,Third Party Advisory
https://github.com/coturn/coturn/commit/abfe1fd08d78baa0947d17dac0f7411c3d948e4d Patch,Third Party Advisory
https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p Exploit,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G54UIUFTEC6RLPOISMB6FUW7456SBZC4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4CJOPAQT43MYAFU3UROGLEXN3Z6RS4H/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26262, you might also want to check these: