coTURN server unsafe telnet admin portal default configuration vulnerability

Summary

An exploitable unsafe default configuration vulnerability exists in the TURN server function of coTURN prior to version 4.5.0.9. By default, the TURN server runs an unauthenticated telnet admin portal on the loopback interface. This can provide administrator access to the TURN server configuration, which can lead to additional attacks. An attacker who can get access to the telnet port can gain administrator access to the TURN server.

Tested Versions

coTURN 4.5.0.5

Product URLs

<https://github.com/coturn/coturn&gt;

CVSSv3 Score

6.5 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CWE

CWE-798: Use of Hard-coded Credentials

Details

coTURN is an open-source implementation of TURN and STUN servers that can be used as a general-purpose networking traffic TURN server. TURN servers are usually deployed in so-called “DMZ” zones — any server reachable by the internet — to provide firewall traversal solutions. Attackers who are able to take over such servers may be able to bypass firewalls and conduct further attacks.

According to Shodawn, thousands of coTURN servers are directly reachable on the internet.

The default options of affected coTURN servers run an unauthenticated telnet admin portal, which provides administrator access to the TURN server configuration.

Mitigation

Run the coTURN server with the following option to disable the telnet portal:

--no-cli					Turn OFF the CLI support. By default it is always ON

Or set up a password:

--cli-password=<password>			CLI access password. Default is empty (no password)

Timeline

2017-09-04 - Vendor Disclosure
2019-01-28 - Vendor Patched
2019-01-29 - Public Release