CVE-2021-21382 – This vulnerability in restund TURN server allow... (How to Fix)

Q: What is the severity of CVE-2021-21382?

CVE-2021-21382 has a CVSS score of 8.6 (HIGH). This vulnerability in restund TURN server allows attackers to relay traffic to localhost services by manipulating TURN channel requests. Attackers can access administrative interfaces or other local services that should be private. Systems running restund with default configurations that enable the status module are affected.

📋 TL;DR

This vulnerability in restund TURN server allows attackers to relay traffic to localhost services by manipulating TURN channel requests. Attackers can access administrative interfaces or other local services that should be private. Systems running restund with default configurations that enable the status module are affected.

💻 Affected Systems

Products:

restund

Versions: All versions before the fix

Operating Systems: All platforms running restund

Default Config Vulnerable: ⚠️ Yes

Notes: Default configuration enables status module on localhost. Systems using TURN functionality are vulnerable.

📦 What is this software?

Restund by Wire

View all CVEs affecting Restund →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the TURN server and access to all local services on the host, potentially leading to lateral movement within the network.

🟠

Likely Case

Unauthorized access to restund's administrative interface, allowing attackers to list relays, drain connections, or disrupt NAT traversal services.

🟢

If Mitigated

Limited impact with proper network segmentation and firewall rules preventing relay to sensitive addresses.

🌐 Internet-Facing: HIGH - TURN servers are often internet-facing to facilitate NAT traversal, making them accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this to access local services on the TURN server host.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted TURN requests with XOR-PEER-ADDRESS set to loopback addresses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions with commit fixing loopback relay restriction

Vendor Advisory: https://github.com/wireapp/restund/security/advisories/GHSA-96j5-w9jq-pv2x

Restart Required: Yes

Instructions:

1. Update restund to latest version. 2. Verify loopback relay restriction is enabled. 3. Restart restund service.

🔧 Temporary Workarounds

Disable status module

all

Remove or comment out status module configuration to prevent administrative interface exposure

Edit restund.conf and remove or comment lines enabling status module (typically lines with 'status' interface)

Disable TURN module

all

Completely disable TURN functionality if not required

Edit restund.conf and remove or comment 'turn' module configuration

🧯 If You Can't Patch

Implement strict firewall rules to prevent TURN server from relaying to loopback, private, or sensitive address ranges
Deploy TURN servers in isolated network segments with minimal connectivity to other services

🔍 How to Verify

Check if Vulnerable:

Check if restund configuration has status module enabled on localhost and TURN module is active

Check Version:

restund -v or check package manager for installed version

Verify Fix Applied:

Verify restund version includes loopback relay restriction and test TURN relay attempts to 127.0.0.1 are rejected

📡 Detection & Monitoring

Log Indicators:

TURN relay requests to loopback addresses
Administrative commands from unexpected sources

Network Indicators:

TURN channel bind requests with XOR-PEER-ADDRESS set to 127.0.0.1 or other loopback addresses

SIEM Query:

source_ip=* AND dest_port=3478 AND protocol=udp AND payload_contains="XOR-PEER-ADDRESS:127.0.0.1"

📊 Metadata

CVE ID: CVE-2021-21382

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-668

Published: June 11, 2021

Last Updated: November 21, 2024

🔗 References

https://docs.wire.com/understand/restund.html Vendor Advisory
https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p Not Applicable
https://github.com/wireapp/ansible-restund/blob/master/templates/restund.conf.j2#L40-L43 Exploit,Third Party Advisory
https://github.com/wireapp/restund/pull/7 Exploit,Patch,Third Party Advisory
https://github.com/wireapp/restund/security/advisories/GHSA-96j5-w9jq-pv2x Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0732 Exploit,Third Party Advisory
https://www.rtcsec.com/post/2021/01/details-about-cve-2020-26262-bypass-of-coturns-default-access-control-protection/#further-concerns-what-else Not Applicable
https://docs.wire.com/understand/restund.html Vendor Advisory
https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p Not Applicable
https://github.com/wireapp/ansible-restund/blob/master/templates/restund.conf.j2#L40-L43 Exploit,Third Party Advisory
https://github.com/wireapp/restund/pull/7 Exploit,Patch,Third Party Advisory
https://github.com/wireapp/restund/security/advisories/GHSA-96j5-w9jq-pv2x Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0732 Exploit,Third Party Advisory
https://www.rtcsec.com/post/2021/01/details-about-cve-2020-26262-bypass-of-coturns-default-access-control-protection/#further-concerns-what-else Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21382, you might also want to check these: