CVE-2020-6061
📋 TL;DR
CVE-2020-6061 is a critical heap out-of-bounds read vulnerability in CoTURN 4.5.1.1 web server that allows attackers to leak sensitive information or cause denial of service via specially crafted HTTPS POST requests. This affects organizations running vulnerable CoTURN TURN/STUN servers exposed to untrusted networks. The vulnerability requires HTTPS access to the web interface.
💻 Affected Systems
- CoTURN
📦 What is this software?
Coturn by Coturn Project
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, though CWE-125 typically indicates information disclosure or denial of service.
Likely Case
Information disclosure of heap memory contents potentially containing sensitive data like credentials or session tokens, or server crash causing denial of service.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external attackers from reaching the vulnerable service.
🎯 Exploit Status
Exploitation requires sending a specially crafted HTTPS POST request to the vulnerable web server. The vulnerability is in the parsing logic of POST requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.1.2 and later
Vendor Advisory: https://github.com/coturn/coturn/security/advisories
Restart Required: Yes
Instructions:
1. Download latest CoTURN version from official repository. 2. Stop CoTURN service. 3. Install updated version. 4. Restart CoTURN service.
🔧 Temporary Workarounds
Disable HTTPS web interface
linuxDisable the HTTPS web server interface if not required for functionality
Modify turnserver.conf: set 'no-tls' and 'no-dtls' options
Remove or comment out 'listening-port' for HTTPS (usually 443 or 5349)
Network access restrictions
linuxRestrict access to CoTURN web interface using firewall rules
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate CoTURN servers from untrusted networks
- Deploy web application firewall (WAF) rules to block malformed POST requests
🔍 How to Verify
Check if Vulnerable:
Check CoTURN version: turnserver -v | grep 'Version' and verify if it's 4.5.1.1Check Version:
turnserver -v | grep 'Version'Verify Fix Applied:
Verify version is 4.5.1.2 or higher: turnserver -v | grep 'Version'📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to CoTURN web interface
- Server crashes or abnormal termination
- Memory access violation errors in system logs
Network Indicators:
- Malformed HTTPS POST requests to CoTURN web server ports
- Unusual traffic patterns to CoTURN HTTPS interface
SIEM Query:
source="coturn.log" AND ("POST" AND "malformed" OR "crash" OR "segmentation fault")🔗 References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQZZPI34LAS3SFNW6Z2ZJ46RKVGEODNA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUVZRXW5ZIGWVKOLF3NPXRPP74YX7BUY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XN2NK6FT7AMW5UIZNXDNHKEAYWAUMGSF/
- https://talosintelligence.com/vulnerability_reports/TALOS-2020-0984
- https://usn.ubuntu.com/4415-1/
- https://www.debian.org/security/2020/dsa-4711
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQZZPI34LAS3SFNW6Z2ZJ46RKVGEODNA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUVZRXW5ZIGWVKOLF3NPXRPP74YX7BUY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XN2NK6FT7AMW5UIZNXDNHKEAYWAUMGSF/
- https://talosintelligence.com/vulnerability_reports/TALOS-2020-0984
- https://usn.ubuntu.com/4415-1/
- https://www.debian.org/security/2020/dsa-4711
