Coturn STUN Attribute Parser Misalignment Vulnerability Leading to Remote Denial-of-Service on ARM64

A denial-of-service vulnerability has been identified in Coturn versions prior to 4.10.0. The issue arises in the STUN/TURN attribute parsing functions, which perform unsafe pointer casts from uint8_t * to uint16_t * without proper alignment checks. This flaw allows for misaligned memory reads, particularly on ARM64 architectures where strict alignment is enforced. An unauthenticated remote attacker can exploit this vulnerability by sending a single crafted UDP packet, causing the turnserver process to crash. The vulnerability is present in Coturn versions 4.9.0 and earlier.

Impact

Exploitation of this vulnerability leads to a SIGBUS error, causing the turnserver process to terminate abruptly. This denial-of-service condition can be triggered remotely on any Coturn deployment running on ARM64/AArch64 hardware, such as AWS Graviton instances, Apple Silicon, Raspberry Pi, and ARM-based cloud or edge deployments.

Reproduction

The vulnerability can be reproduced by sending a crafted STUN message over UDP to a Coturn server running on an ARM64 architecture. The message must be crafted to include an attribute with an odd length that is not properly padded, causing the next attribute pointer to be misaligned. This misalignment can be verified by building Coturn with undefined behavior sanitization enabled, which will expose the misaligned access as a runtime error.

Remediation

Users are advised to update Coturn to version 4.10.0 or later, where this vulnerability has been fixed.