CVE-2018-4058

NameCVE-2018-4058
DescriptionAn exploitable unsafe default configuration vulnerability exists in the TURN server functionality of coTURN prior to 4.5.0.9. By default, the TURN server allows relaying external traffic to the loopback interface of its own host. This can provide access to other private services running on that host, which can lead to further attacks. An attacker can set up a relay with a loopback address as the peer on an affected TURN server to trigger this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1671-1, DSA-4373-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
coturn (PTS)jessie4.2.1.2-1vulnerable
jessie (security)4.2.1.2-1+deb8u1fixed
stretch (security), stretch4.5.0.5-1+deb9u1fixed
buster, sid4.5.1.1-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
coturnsource(unstable)4.5.1.0-1medium
coturnsourcejessie4.2.1.2-1+deb8u1mediumDLA-1671-1
coturnsourcestretch4.5.0.5-1+deb9u1mediumDSA-4373-1

Search for package or bug name: Reporting problems