CVE-2021-21382

Name of the Vulnerable Software and Affected Versions Restund (affected versions not specified)

Description The issue is related to the Restund TURN server, which can be instructed to open a relay to the loopback address range, potentially exposing private services running on localhost. An attacker can exploit this by setting the XOR-PEER-ADDRESS to 127.0.0.1:{{restund udp status port}} when opening a TURN channel, allowing them to issue administrative commands to the status interface of Restund. This could enable the execution of arbitrary commands. To mitigate this, it is recommended to explicitly disallow relaying to loopback addresses, 'any' addresses, link local addresses, and the broadcast address.

Recommendations As a temporary workaround, consider disabling the status module in your Restund configuration. Disable the turn module if possible, as Restund will still perform STUN, which might be sufficient for initiating calls in your environment. Ensure the TURN server is set up with firewall rules to prevent relaying to unwanted addresses. Ideally, deploy TURN servers in an isolated fashion, allowing them to only reach necessary resources for their NAT-traversal task.