An exploitable unsafe default configuration vulnerability exists in the TURN server function of coTURN prior to version 18.104.22.168. By default, the TURN server runs an unauthenticated telnet admin portal on the loopback interface. This can provide administrator access to the TURN server configuration, which can lead to additional attacks. An attacker who can get access to the telnet port can gain administrator access to the TURN server.
6.5 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CWE-798: Use of Hard-coded Credentials
coTURN is an open-source implementation of TURN and STUN servers that can be used as a general-purpose networking traffic TURN server. TURN servers are usually deployed in so-called “DMZ” zones — any server reachable by the internet — to provide firewall traversal solutions. Attackers who are able to take over such servers may be able to bypass firewalls and conduct further attacks.
According to Shodawn, thousands of coTURN servers are directly reachable on the internet.
The default options of affected coTURN servers run an unauthenticated telnet admin portal, which provides administrator access to the TURN server configuration.
Run the coTURN server with the following option to disable the telnet portal:
--no-cli Turn OFF the CLI support. By default it is always ON
Or set up a password:
--cli-password=<password> CLI access password. Default is empty (no password)
2017-09-04 - Vendor Disclosure
2019-01-28 - Vendor Patched
2019-01-29 - Public Release
Discovered by Nicolas Edet of Cisco.