CVE-2021-21382 in Restundinfo

Summary

by MITRE • 06/12/2021

Restund is an open source NAT traversal server. The restund TURN server can be instructed to open a relay to the loopback address range. This allows you to reach any other service running on localhost which you might consider private. In the configuration that we ship (https://github.com/wireapp/ansible-restund/blob/master/templates/restund.conf.j2#L40-L43) the `status` interface of restund is enabled and is listening on `127.0.0.1`.The `status` interface allows users to issue administrative commands to `restund` like listing open relays or draining connections. It would be possible for an attacker to contact the status interface and issue administrative commands by setting `XOR-PEER-ADDRESS` to `127.0.0.1:{{restund_udp_status_port}}` when opening a TURN channel. We now explicitly disallow relaying to loopback addresses, 'any' addresses, link local addresses, and the broadcast address. As a workaround disable the `status` module in your restund configuration. However there might still be other services running on `127.0.0.0/8` that you do not want to have exposed. The `turn` module can be disabled. Restund will still perform STUN and this might already be enough for initiating calls in your environments. TURN is only used as a last resort when other NAT traversal options do not work. One should also make sure that the TURN server is set up with firewall rules so that it cannot relay to other addresses that you don't want the TURN server to relay to. For example other services in the same VPC where the TURN server is running. Ideally TURN servers should be deployed in an isolated fashion where they can only reach what they need to reach to perform their task of assisting NAT-traversal.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/14/2021

CVE-2021-21382 represents a critical security vulnerability in the Restund TURN server implementation that exposes systems to unauthorized access through improper address validation during NAT traversal operations. This vulnerability stems from the server's failure to properly validate destination addresses when establishing relay connections, specifically allowing relays to loopback address ranges including 127.0.0.0/8 networks. The flaw exists within the TURN protocol implementation where the server accepts XOR-PEER-ADDRESS attributes that point to localhost interfaces, effectively enabling attackers to bypass normal network segmentation controls. The vulnerability is particularly concerning because it allows remote attackers to execute administrative commands against the TURN server's status interface, which by default listens on 127.0.0.1, creating a direct path to system-level operations that should remain isolated from external access.

The technical exploitation of this vulnerability leverages the TURN protocol's channel establishment mechanism where attackers can manipulate the XOR-PEER-ADDRESS attribute to specify loopback addresses. This creates a scenario where the TURN server, instead of rejecting such connections as invalid, processes them and allows access to services bound to localhost interfaces. The configuration typically shipped with Restund enables the status interface on loopback addresses, making it a prime target for exploitation. This vulnerability aligns with CWE-284 Access Control Issues, specifically representing inadequate access controls for network services, and maps to ATT&CK technique T1071.004 Application Layer Protocol: DNS where the TURN server becomes an attack vector for lateral movement and privilege escalation.

The operational impact of this vulnerability extends beyond simple information disclosure to potentially enable complete system compromise through administrative command execution. Attackers can enumerate open relays, drain connections, and potentially gain control over the TURN server's operational state, which could lead to denial of service or further exploitation of the underlying network infrastructure. The vulnerability particularly affects environments where TURN servers are deployed in shared or multi-tenant configurations, as it allows attackers to probe and potentially access other services running on the same host that are normally protected by loopback interface restrictions. Organizations using Restund in production environments face significant risk of unauthorized access to internal services, especially when the server is configured with default settings that expose the status interface without proper network segmentation.

Mitigation strategies for CVE-2021-21382 require a multi-layered approach that addresses both immediate configuration changes and long-term architectural considerations. The most direct fix involves modifying the Restund configuration to explicitly disallow relaying to loopback addresses, any addresses, link local addresses, and broadcast addresses, which effectively closes the primary attack vector. Organizations should disable the status module in their configurations as a temporary workaround while implementing more robust security measures. The recommended approach includes disabling the TURN module entirely if STUN functionality alone is sufficient for NAT traversal needs in their environment, as TURN should only be used as a last resort when other methods fail. Network-level protections are equally critical, requiring proper firewall rules to restrict relay capabilities and prevent the TURN server from accessing unintended destinations, particularly services running in the same VPC or network segment. The ideal security posture involves deploying TURN servers in isolated network environments where they can only reach specific, well-defined endpoints necessary for NAT traversal operations, following the principle of least privilege and network segmentation best practices that align with industry standards such as those recommended by NIST SP 800-53 and ISO/IEC 27001.

Responsible

GitHub, Inc.

Reservation

12/22/2020

Disclosure

06/12/2021

Moderation

accepted

CPE

ready

EPSS

0.01469

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!