Coturn Bad Random Number Generation Vulnerability Leading to Nonce and Port Prediction

A vulnerability exists in Coturn versions 4.6.2r5 prior to 4.7.0-r4, due to a weak random number generator for nonces and port randomization. This issue arose after a refactoring that changed the source of random number generation from OpenSSL's secure RAND_bytes to libc's random(), which is a reversible Linear Congruential Generator (LCG) and unsafe for cryptographic purposes. The vulnerability allows an attacker to predict nonces and relay ports, potentially spoofing IP addresses and manipulating TURN server behaviors, especially in IoT contexts where credentials may be known.

Impact

The vulnerability allows for the prediction of nonces and relay ports, enabling an attacker to spoof IP addresses and send authenticated messages without receiving responses, including the nonce. This could lead to unauthorized changes in permissions or bindings on the TURN server. Additionally, the predictable relay port allocation could be exploited for targeted attacks.

Reproduction

To reproduce this vulnerability, send approximately 50 unauthenticated allocation requests to the Coturn server. This will allow the current state of the random number generator to be reconstructed, enabling the prediction of the next nonce. With the predicted nonce, authenticated messages can be sent without receiving responses, effectively spoofing the sender's IP address.

Remediation

Users can update to Coturn version 4.7.0-r4, where this vulnerability has been addressed.