Nicolas Edet of Cisco discovered these vulnerabilities.
Executive summary
Today, Cisco Talos is disclosing three vulnerabilities in coTURN. coTURN is an open-source implementation of TURN and STUN servers that can be used as a general-purpose networking traffic TURN server. TURN servers are usually deployed in so-called “DMZ” zones — any server reachable from the internet — to provide firewall traversal solutions.
In accordance with our coordinated disclosure policy, Cisco Talos worked with coTURN to ensure that these issues are resolved and that an update is available for affected customers.
Vulnerability details
coTURN administrator web portal SQL injection vulnerability (TALOS-2018-0730/CVE-2018-4056)
An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN. A login message with a specially crafted username can cause an SQL injection, resulting in authentication bypass, which could give access to the TURN server administrator web portal. An attacker can log in via the external interface of the TURN server to trigger this vulnerability.
For more information on this vulnerability, read the full advisory here.
coTURN TURN server unsafe loopback forwarding default configuration vulnerability (TALOS-2018-0723/CVE-2018-4058)
An exploitable unsafe default configuration vulnerability exists in the TURN server function of coTURN. By default, the TURN server allows relaying external traffic to the loopback interface of its own host. This can provide access to other private services running on that host, which can lead to additional attacks. An attacker can set up a relay with a loopback address as the peer on an affected TURN server to trigger this vulnerability.
For more information on this vulnerability, read the full advisory here.
coTURN server unsafe telnet admin portal default configuration vulnerability (TALOS-2018-0733/CVE-2018-4059)
An exploitable unsafe default configuration vulnerability exists in the TURN server function of coTURN. By default, the TURN server runs an unauthenticated telnet admin portal on the loopback interface. This can provide administrator access to the TURN server configuration, which can lead to additional attacks. An attacker who can get access to the telnet port can gain administrator access to the TURN server.
For more information on this vulnerability, read the full advisory here.
Versions tested
Talos tested and confirmed that all versions of coTURN prior to 4.5.0.9 are affected by these vulnerabilities.
Coverage
The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules: 48456 - 48458