CVE-2020-26262

Name of the Vulnerable Software and Affected Versions: Coturn versions prior to 4.5.2

Description: The issue is related to incorrect input validation in Coturn, a free open source implementation of TURN and STUN Server. By sending a CONNECT request with the XOR-PEER-ADDRESS value of 0.0.0.0, a malicious user can relay packets to the loopback interface, bypassing default access control protection. This can be achieved even when Coturn is listening on IPv6 by using either [::1] or [::] as the peer address. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations: For Coturn versions prior to 4.5.2, update to version 4.5.2 or later to resolve the issue. As a temporary workaround, consider denying the addresses in the address block 0.0.0.0/8, [::1], and [::] by default unless --allow-loopback-peers has been specified. Additionally, administrators can specify --denied-peer-ip=0.0.0.0 (or similar) to prevent malicious users from relaying packets to the loopback interface.