Improper Initialization in coTURN coTURN

1) Improper Initialization

EUVDB-ID: #VU30159

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-4067

CWE-ID: CWE-665 - Improper Initialization

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. There is a leak of information between different client connections. One client (an attacker) could use their connection to intelligently query coturn to get interesting bytes in the padding bytes from the connection of another client. This has been fixed in 4.5.1.3.

Mitigation

Install update from vendor's website.

Vulnerable software versions

coTURN: 4.5.1.0 - 4.5.1.2

CPE2.3

• cpe:2.3:a:coturn:coturn:4.5.1.0:*:*:*:*:*:*:*
• cpe:2.3:a:coturn:coturn:4.5.1.1:*:*:*:*:*:*:*
• cpe:2.3:a:coturn:coturn:4.5.1.2:*:*:*:*:*:*:*

External links

https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00010.html
https://github.com/coturn/coturn/blob/aab60340b201d55c007bcdc853230f47aa2dfdf1/ChangeLog#L15
https://github.com/coturn/coturn/issues/583
https://github.com/coturn/coturn/security/advisories/GHSA-c8r8-8vp5-6gcm
https://lists.debian.org/debian-lts-announce/2020/07/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5G35UBNSRLL6SYRTODYTMBJ65TLQILUM/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNJJO77ZLGGFJWNUGP6VDG5HPAC5UDBK/
https://usn.ubuntu.com/4415-1/
https://www.debian.org/security/2020/dsa-4711

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.