Coturn IPv4-Mapped IPv6 Loopback Bypass Vulnerability

A vulnerability in Coturn's handling of IPv4-mapped IPv6 addresses allows for a bypass of loopback restrictions. Coturn is a free, open-source implementation of TURN and STUN servers, commonly configured to block loopback and internal IP ranges. While previous vulnerabilities were addressed, the handling of IPv4-mapped IPv6 addresses was not properly fixed. This vulnerability affects Coturn versions prior to 4.5.2 and version 4.8.0.

Impact

Exploitation of this vulnerability allows for the bypass of 'denied-peer-ip' rules, enabling the use of loopback and other internal addresses as peers, which can lead to unauthorized data relay.

Reproduction

The vulnerability can be reproduced by sending 'CreatePermission' or 'ChannelBind' requests with the 'XOR-PEER-ADDRESS' value set to an IPv4-mapped IPv6 address, such as '::ffff:127.0.0.1', to a Coturn server that has not explicitly denied such addresses. The server will respond successfully, bypassing the default loopback protections.

Remediation

Users should upgrade to Coturn version 4.5.2 or later, and explicitly deny IPv4-mapped addresses in their 'denied-peer-ip' settings.