PT-2020-3634 · Coturn+4 · Coturn+4

Felix Doerre

Published

2020-06-29

Updated

2024-06-15

CVE-2020-4067

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions coturn versions prior to 4.5.1.3

Description The issue is related to the STUN/TURN response buffer not being initialized properly in coturn, leading to a leak of information between different client connections. An attacker could exploit this to obtain confidential data from another client's connection by intelligently querying coturn to get interesting bytes in the padding bytes.

Recommendations For versions prior to 4.5.1.3, update to version 4.5.1.3 to resolve the issue. As a temporary workaround, consider restricting access to the STUN/TURN functionality to minimize the risk of exploitation.

Fix

Improper Initialization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-665

Related Identifiers

ALT-PU-2021-2683

ALT-PU-2022-2460

BDU:2020-03981

CVE-2020-4067

DLA-2271-1

DSA-4711-1

GHSA-C8R8-8VP5-6GCM

MGASA-2020-0287

OPENSUSE-SU-2020:0937-1

OPENSUSE-SU-2020_0937-1

OPENSUSE-SU-2024:10696-1

USN-4415-1

Affected Products

Alt Linux

Linuxmint

Suse

Ubuntu

Coturn

PT-2020-3634 · Coturn+4 · Coturn+4

CVE-2020-4067

Weakness Enumeration

Related Identifiers

Affected Products

References · 38