Vulnerabilities > CVE-2018-4059 - Missing Authorization vulnerability in Coturn Project Coturn

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

coturn-project

CWE-862

critical

nessus

NVD

Published: 2019-03-21

Updated: 2022-06-07

Summary

An exploitable unsafe default configuration vulnerability exists in the TURN server function of coTURN prior to version 4.5.0.9. By default, the TURN server runs an unauthenticated telnet admin portal on the loopback interface. This can provide administrator access to the TURN server configuration, which can lead to additional attacks. An attacker who can get access to the telnet port can gain administrator access to the TURN server.

Vulnerable Configurations

Part	Description	Count
Application	Coturn_Project Coturn Project Coturn 4.4.5.3 Coturn Project Coturn 4.4.5.4 Coturn Project Coturn 4.5.0.1 Coturn Project Coturn 4.5.0.2 Coturn Project Coturn 4.5.0.3 Coturn Project Coturn 4.5.0.4 Coturn Project Coturn 4.5.0.5 Coturn Project Coturn 4.5.0.6 Coturn Project Coturn 4.5.0.7 Coturn Project Coturn 4.5.0.8	10

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

Nessus

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-4373.NASL
description	Multiple vulnerabilities were discovered in coTURN, a TURN and STUN server for VoIP. - CVE-2018-4056 A SQL injection vulnerability was discovered in the coTURN administrator web portal. As the administration web interface is shared with the production, it is unfortunately not possible to easily filter outside access and this security update completely disable the web interface. Users should use the local, command line interface instead. - CVE-2018-4058 Default configuration enables unsafe loopback forwarding. A remote attacker with access to the TURN interface can use this vulnerability to gain access to services that should be local only. - CVE-2018-4059 Default configuration uses an empty password for the local command line administration interface. An attacker with access to the local console (either a local attacker or a remote attacker taking advantage of CVE-2018-4058 ) could escalade privileges to administrator of the coTURN server.
last seen	2020-03-17
modified	2019-01-29
plugin id	121425
published	2019-01-29
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/121425
title	Debian DSA-4373-1 : coturn - security update
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4373. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(121425); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/20"); script_cve_id("CVE-2018-4056", "CVE-2018-4058", "CVE-2018-4059"); script_xref(name:"DSA", value:"4373"); script_name(english:"Debian DSA-4373-1 : coturn - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities were discovered in coTURN, a TURN and STUN server for VoIP. - CVE-2018-4056 A SQL injection vulnerability was discovered in the coTURN administrator web portal. As the administration web interface is shared with the production, it is unfortunately not possible to easily filter outside access and this security update completely disable the web interface. Users should use the local, command line interface instead. - CVE-2018-4058 Default configuration enables unsafe loopback forwarding. A remote attacker with access to the TURN interface can use this vulnerability to gain access to services that should be local only. - CVE-2018-4059 Default configuration uses an empty password for the local command line administration interface. An attacker with access to the local console (either a local attacker or a remote attacker taking advantage of CVE-2018-4058 ) could escalade privileges to administrator of the coTURN server." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-4056" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-4058" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-4059" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-4058" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/coturn" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/coturn" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4373" ); script_set_attribute( attribute:"solution", value: "Upgrade the coturn packages. For the stable distribution (stretch), these problems have been fixed in version 4.5.0.5-1+deb9u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:coturn"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/05"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/29"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"9.0", prefix:"coturn", reference:"4.5.0.5-1+deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_181BEEF6248211E9B4A300155D006B02.NASL
description	Mihaly Meszaros reports : We made 4.5.1.0 release public today that fixes many vulnerabilities. It fix the following vulnerabilities : - CVE-2018-4056 - CVE-2018-4058 - CVE-2018-4059 They will be exposed very soon..
last seen	2020-03-18
modified	2019-01-31
plugin id	121495
published	2019-01-31
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/121495
title	FreeBSD : turnserver -- multiple vulnerabilities (181beef6-2482-11e9-b4a3-00155d006b02)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-1671.NASL
description	Multiple vulnerabilities were discovered in coTURN, a TURN and STUN server for VoIP. CVE-2018-4056 A SQL injection vulnerability was discovered in the coTURN administrator web portal. As the administration web interface is shared with the production, it is unfortunately not possible to easily filter outside access and this security update completely disables the web interface. Users should use the local, command line interface instead. CVE-2018-4058 Default configuration enables unsafe loopback forwarding. A remote attacker with access to the TURN interface can use this vulnerability to gain access to services that should be local only. CVE-2018-4059 Default configuration uses an empty password for the local command line administration interface. An attacker with access to the local console (either a local attacker or a remote attacker taking advantage of CVE-2018-4058) could escalade privileges to administrator of the coTURN server. For Debian 8
last seen	2020-06-01
modified	2020-06-02
plugin id	122098
published	2019-02-12
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/122098
title	Debian DLA-1671-1 : coturn security update

Talos

id	TALOS-2018-0733
last seen	2019-05-29
published	2018-01-29
reporter	Talos Intelligence
source	http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0733
title	coTURN server unsafe telnet admin portal default configuration vulnerability

References

https://talosintelligence.com/vulnerability_reports/TALOS-2018-0733