Vulnerabilities > CVE-2018-4058 - Unspecified vulnerability in Coturn Project Coturn
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
An exploitable unsafe default configuration vulnerability exists in the TURN server functionality of coTURN prior to 4.5.0.9. By default, the TURN server allows relaying external traffic to the loopback interface of its own host. This can provide access to other private services running on that host, which can lead to further attacks. An attacker can set up a relay with a loopback address as the peer on an affected TURN server to trigger this vulnerability.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 10 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4373.NASL description Multiple vulnerabilities were discovered in coTURN, a TURN and STUN server for VoIP. - CVE-2018-4056 A SQL injection vulnerability was discovered in the coTURN administrator web portal. As the administration web interface is shared with the production, it is unfortunately not possible to easily filter outside access and this security update completely disable the web interface. Users should use the local, command line interface instead. - CVE-2018-4058 Default configuration enables unsafe loopback forwarding. A remote attacker with access to the TURN interface can use this vulnerability to gain access to services that should be local only. - CVE-2018-4059 Default configuration uses an empty password for the local command line administration interface. An attacker with access to the local console (either a local attacker or a remote attacker taking advantage of CVE-2018-4058 ) could escalade privileges to administrator of the coTURN server. last seen 2020-03-17 modified 2019-01-29 plugin id 121425 published 2019-01-29 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121425 title Debian DSA-4373-1 : coturn - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4373. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(121425); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/20"); script_cve_id("CVE-2018-4056", "CVE-2018-4058", "CVE-2018-4059"); script_xref(name:"DSA", value:"4373"); script_name(english:"Debian DSA-4373-1 : coturn - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities were discovered in coTURN, a TURN and STUN server for VoIP. - CVE-2018-4056 A SQL injection vulnerability was discovered in the coTURN administrator web portal. As the administration web interface is shared with the production, it is unfortunately not possible to easily filter outside access and this security update completely disable the web interface. Users should use the local, command line interface instead. - CVE-2018-4058 Default configuration enables unsafe loopback forwarding. A remote attacker with access to the TURN interface can use this vulnerability to gain access to services that should be local only. - CVE-2018-4059 Default configuration uses an empty password for the local command line administration interface. An attacker with access to the local console (either a local attacker or a remote attacker taking advantage of CVE-2018-4058 ) could escalade privileges to administrator of the coTURN server." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-4056" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-4058" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-4059" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-4058" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/coturn" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/coturn" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4373" ); script_set_attribute( attribute:"solution", value: "Upgrade the coturn packages. For the stable distribution (stretch), these problems have been fixed in version 4.5.0.5-1+deb9u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:coturn"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/05"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/29"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"9.0", prefix:"coturn", reference:"4.5.0.5-1+deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_181BEEF6248211E9B4A300155D006B02.NASL description Mihaly Meszaros reports : We made 4.5.1.0 release public today that fixes many vulnerabilities. It fix the following vulnerabilities : - CVE-2018-4056 - CVE-2018-4058 - CVE-2018-4059 They will be exposed very soon.. last seen 2020-03-18 modified 2019-01-31 plugin id 121495 published 2019-01-31 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121495 title FreeBSD : turnserver -- multiple vulnerabilities (181beef6-2482-11e9-b4a3-00155d006b02) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1671.NASL description Multiple vulnerabilities were discovered in coTURN, a TURN and STUN server for VoIP. CVE-2018-4056 A SQL injection vulnerability was discovered in the coTURN administrator web portal. As the administration web interface is shared with the production, it is unfortunately not possible to easily filter outside access and this security update completely disables the web interface. Users should use the local, command line interface instead. CVE-2018-4058 Default configuration enables unsafe loopback forwarding. A remote attacker with access to the TURN interface can use this vulnerability to gain access to services that should be local only. CVE-2018-4059 Default configuration uses an empty password for the local command line administration interface. An attacker with access to the local console (either a local attacker or a remote attacker taking advantage of CVE-2018-4058) could escalade privileges to administrator of the coTURN server. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 122098 published 2019-02-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122098 title Debian DLA-1671-1 : coturn security update
Talos
| id | TALOS-2018-0732 |
| last seen | 2019-05-29 |
| published | 2018-01-29 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0732 |
| title | coTURN TURN server unsafe loopback forwarding default configuration vulnerability |