Sebastian Kemper

**Name of the Vulnerable Software and Affected Versions** Restund (affected versions not specified) **Description** The issue is related to the Restund TURN server, which can be instructed to open a relay to the loopback address range, potentially exposing private services running on localhost. An attacker can exploit this by setting the `XOR-PEER-ADDRESS` to `127.0.0.1:{{restund udp status port}}` when opening a TURN channel, allowing them to issue administrative commands to the `status` interface of Restund. This could enable the execution of arbitrary commands. To mitigate this, it is recommended to explicitly disallow relaying to loopback addresses, 'any' addresses, link local addresses, and the broadcast address. **Recommendations** As a temporary workaround, consider disabling the `status` module in your Restund configuration. Disable the `turn` module if possible, as Restund will still perform STUN, which might be sufficient for initiating calls in your environment. Ensure the TURN server is set up with firewall rules to prevent relaying to unwanted addresses. Ideally, deploy TURN servers in an isolated fashion, allowing them to only reach necessary resources for their NAT-traversal task.