Vulnerabilities > CVE-2018-4059 - Missing Authorization vulnerability in Coturn Project Coturn
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
An exploitable unsafe default configuration vulnerability exists in the TURN server function of coTURN prior to version 4.5.0.9. By default, the TURN server runs an unauthenticated telnet admin portal on the loopback interface. This can provide administrator access to the TURN server configuration, which can lead to additional attacks. An attacker who can get access to the telnet port can gain administrator access to the TURN server.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 10 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4373.NASL description Multiple vulnerabilities were discovered in coTURN, a TURN and STUN server for VoIP. - CVE-2018-4056 A SQL injection vulnerability was discovered in the coTURN administrator web portal. As the administration web interface is shared with the production, it is unfortunately not possible to easily filter outside access and this security update completely disable the web interface. Users should use the local, command line interface instead. - CVE-2018-4058 Default configuration enables unsafe loopback forwarding. A remote attacker with access to the TURN interface can use this vulnerability to gain access to services that should be local only. - CVE-2018-4059 Default configuration uses an empty password for the local command line administration interface. An attacker with access to the local console (either a local attacker or a remote attacker taking advantage of CVE-2018-4058 ) could escalade privileges to administrator of the coTURN server. last seen 2020-03-17 modified 2019-01-29 plugin id 121425 published 2019-01-29 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121425 title Debian DSA-4373-1 : coturn - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4373. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(121425); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/20"); script_cve_id("CVE-2018-4056", "CVE-2018-4058", "CVE-2018-4059"); script_xref(name:"DSA", value:"4373"); script_name(english:"Debian DSA-4373-1 : coturn - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities were discovered in coTURN, a TURN and STUN server for VoIP. - CVE-2018-4056 A SQL injection vulnerability was discovered in the coTURN administrator web portal. As the administration web interface is shared with the production, it is unfortunately not possible to easily filter outside access and this security update completely disable the web interface. Users should use the local, command line interface instead. - CVE-2018-4058 Default configuration enables unsafe loopback forwarding. A remote attacker with access to the TURN interface can use this vulnerability to gain access to services that should be local only. - CVE-2018-4059 Default configuration uses an empty password for the local command line administration interface. An attacker with access to the local console (either a local attacker or a remote attacker taking advantage of CVE-2018-4058 ) could escalade privileges to administrator of the coTURN server." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-4056" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-4058" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-4059" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-4058" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/coturn" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/coturn" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4373" ); script_set_attribute( attribute:"solution", value: "Upgrade the coturn packages. For the stable distribution (stretch), these problems have been fixed in version 4.5.0.5-1+deb9u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:coturn"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/05"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/29"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"9.0", prefix:"coturn", reference:"4.5.0.5-1+deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_181BEEF6248211E9B4A300155D006B02.NASL description Mihaly Meszaros reports : We made 4.5.1.0 release public today that fixes many vulnerabilities. It fix the following vulnerabilities : - CVE-2018-4056 - CVE-2018-4058 - CVE-2018-4059 They will be exposed very soon.. last seen 2020-03-18 modified 2019-01-31 plugin id 121495 published 2019-01-31 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121495 title FreeBSD : turnserver -- multiple vulnerabilities (181beef6-2482-11e9-b4a3-00155d006b02) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1671.NASL description Multiple vulnerabilities were discovered in coTURN, a TURN and STUN server for VoIP. CVE-2018-4056 A SQL injection vulnerability was discovered in the coTURN administrator web portal. As the administration web interface is shared with the production, it is unfortunately not possible to easily filter outside access and this security update completely disables the web interface. Users should use the local, command line interface instead. CVE-2018-4058 Default configuration enables unsafe loopback forwarding. A remote attacker with access to the TURN interface can use this vulnerability to gain access to services that should be local only. CVE-2018-4059 Default configuration uses an empty password for the local command line administration interface. An attacker with access to the local console (either a local attacker or a remote attacker taking advantage of CVE-2018-4058) could escalade privileges to administrator of the coTURN server. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 122098 published 2019-02-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122098 title Debian DLA-1671-1 : coturn security update
Talos
id | TALOS-2018-0733 |
last seen | 2019-05-29 |
published | 2018-01-29 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0733 |
title | coTURN server unsafe telnet admin portal default configuration vulnerability |