CVE-2020-26262

Coturn is free open source implementation of TURN and STUN Server. Coturn
before version 4.5.2 by default does not allow peers to connect and relay
packets to loopback addresses in the range of 127.x.x.x. However, it was
observed that when sending a CONNECT request with the XOR-PEER-ADDRESS
value of 0.0.0.0, a successful response was received and subsequently,
CONNECTIONBIND also received a successful response. Coturn then is able
to relay packets to the loopback interface. Additionally, when coturn is
listening on IPv6, which is default, the loopback interface can also be
reached by making use of either [::1] or [::] as the peer address. By
using the address 0.0.0.0 as the peer address, a malicious user will be
able to relay packets to the loopback interface, unless
--denied-peer-ip=0.0.0.0 (or similar) has been specified. Since the
default configuration implies that loopback peers are not allowed, coturn
administrators may choose to not set the denied-peer-ip setting. The
issue patched in version 4.5.2. As a workaround the addresses in the
address block 0.0.0.0/8, [::1] and [::] should be denied by default
unless --allow-loopback-peers has been specified.

Notes