CVE-2018-4058 in coTURN
Summary
by MITRE
An exploitable unsafe default configuration vulnerability exists in the TURN server functionality of coTURN prior to 4.5.0.9. By default, the TURN server allows relaying external traffic to the loopback interface of its own host. This can provide access to other private services running on that host, which can lead to further attacks. An attacker can set up a relay with a loopback address as the peer on an affected TURN server to trigger this vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/03/2023
The CVE-2018-4058 vulnerability represents a critical security flaw in the coTURN TURN server implementation that fundamentally compromises network isolation principles. This vulnerability stems from an unsafe default configuration where the TURN server fails to properly restrict traffic relaying to localhost interfaces, creating a pathway for attackers to bypass network segmentation controls. The issue specifically affects coTURN versions prior to 4.5.0.9, indicating that this was a known configuration weakness that persisted across multiple releases before being addressed. The vulnerability operates at the network protocol level, exploiting the fundamental trust model that TURN servers establish between clients and network infrastructure.
The technical exploitation of this vulnerability relies on the TURN server's default behavior of accepting relay requests that specify loopback addresses as destination endpoints. When an attacker establishes a TURN session and configures the peer address to point to the loopback interface of the server host, the TURN server dutifully relays traffic between the external attacker and internal services bound to localhost. This creates an unintended attack surface where private services that should only be accessible internally become reachable through the TURN server's relay mechanism. The flaw essentially transforms the TURN server from a legitimate network relay component into a potential gateway for internal network reconnaissance and exploitation.
The operational impact of this vulnerability extends far beyond simple information disclosure, as it can enable attackers to conduct comprehensive internal network reconnaissance and potentially escalate privileges within the affected environment. Attackers can leverage this vulnerability to discover and target services running on localhost that are typically protected by network segmentation, including database servers, administrative interfaces, and internal APIs. This represents a significant compromise of the principle of least privilege, as the TURN server inadvertently provides a backdoor for attackers to access services that should remain isolated from external network traffic. The vulnerability particularly affects environments where TURN servers are deployed in public-facing configurations but host internal services that rely on loopback-only accessibility.
Security practitioners should recognize this vulnerability as a classic example of improper access control and network boundary enforcement, aligning with CWE-284 which addresses inadequate access control mechanisms. The attack vector demonstrates characteristics consistent with techniques described in the MITRE ATT&CK framework under the T1046 and T1071 categories, specifically involving network service exploitation and protocol manipulation. Organizations should implement immediate mitigations including upgrading to coTURN version 4.5.0.9 or later, configuring explicit access control lists that prevent relay to localhost addresses, and implementing network segmentation controls that separate TURN server functionality from internal service access. Additionally, regular security audits should verify that TURN server configurations properly enforce network boundary constraints and that default configurations do not expose internal services to external attack surfaces.