CVE-2020-26262 in Coturn
Summary
by MITRE • 01/14/2021
Coturn is free open source implementation of TURN and STUN Server. Coturn before version 4.5.2 by default does not allow peers to connect and relay packets to loopback addresses in the range of `127.x.x.x`. However, it was observed that when sending a `CONNECT` request with the `XOR-PEER-ADDRESS` value of `0.0.0.0`, a successful response was received and subsequently, `CONNECTIONBIND` also received a successful response. Coturn then is able to relay packets to the loopback interface. Additionally, when coturn is listening on IPv6, which is default, the loopback interface can also be reached by making use of either `[::1]` or `[::]` as the peer address. By using the address `0.0.0.0` as the peer address, a malicious user will be able to relay packets to the loopback interface, unless `--denied-peer-ip=0.0.0.0` (or similar) has been specified. Since the default configuration implies that loopback peers are not allowed, coturn administrators may choose to not set the `denied-peer-ip` setting. The issue patched in version 4.5.2. As a workaround the addresses in the address block `0.0.0.0/8`, `[::1]` and `[::]` should be denied by default unless `--allow-loopback-peers` has been specified.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/26/2026
The vulnerability described in CVE-2020-26262 affects Coturn, an open source implementation of TURN and STUN servers that provides network address translation services for applications requiring media relay capabilities. This security flaw represents a significant bypass of the software's default security controls, specifically targeting the loopback address restrictions that are fundamental to network security practices. The vulnerability exists in versions prior to 4.5.2 and stems from improper handling of peer connection requests that should have been blocked by default security configurations.
The technical implementation of this vulnerability occurs through the manipulation of the CONNECT request mechanism within the TURN protocol. When a client sends a CONNECT request with the XOR-PEER-ADDRESS field set to 0.0.0.0, the server responds successfully and proceeds to establish a connection binding, allowing packet relaying to the loopback interface despite the default security policy. This behavior extends to IPv6 environments where the loopback addresses [::1] and [::] can also be reached through similar means. The flaw demonstrates a critical failure in input validation and access control enforcement, where the server's security model is circumvented through the exploitation of specific address formats that should have been rejected by default.
The operational impact of this vulnerability is substantial as it provides attackers with unauthorized access to the local system's loopback interface, potentially enabling various attack vectors including local privilege escalation, information disclosure, and denial of service conditions. The vulnerability's severity is amplified by the fact that it operates silently in default configurations, meaning administrators may be unaware of the compromised security posture. This issue directly relates to CWE-284, which covers improper access control, and aligns with ATT&CK techniques such as T1068 (Exploitation for Privilege Escalation) and T1071.004 (Application Layer Protocol: DNS) when used in conjunction with other attack methods. The ability to relay packets to loopback addresses creates opportunities for attackers to bypass network segmentation and access internal services that should remain isolated from external networks.
The vulnerability was addressed in version 4.5.2 through proper enforcement of loopback address restrictions, requiring explicit administrator configuration to permit loopback peer connections. The recommended mitigations include implementing the denied-peer-ip setting with appropriate address blocks, specifically blocking the 0.0.0.0/8 range, IPv6 loopback addresses [::1] and [::], unless the --allow-loopback-peers flag is explicitly configured. This approach aligns with security best practices outlined in the NIST Cybersecurity Framework and ISO/IEC 27001 standards for access control management. Organizations should also implement network monitoring to detect unusual traffic patterns that might indicate exploitation attempts, and conduct regular security assessments to ensure proper configuration of TURN server implementations. The vulnerability highlights the importance of proper input validation and access control enforcement in network services, particularly those handling peer-to-peer communication and packet relaying operations.