An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to server crash and denial of service. An attacker needs to send an HTTP request to trigger this vulnerability.
Weakness
The product dereferences a pointer that it expects to be valid but is NULL.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Coturn | Coturn_project | 4.5.1.1 (including) | 4.5.1.1 (including) |
| Coturn | Ubuntu | bionic | * |
| Coturn | Ubuntu | eoan | * |
| Coturn | Ubuntu | esm-apps/bionic | * |
| Coturn | Ubuntu | esm-apps/focal | * |
| Coturn | Ubuntu | esm-apps/xenial | * |
| Coturn | Ubuntu | focal | * |
| Coturn | Ubuntu | trusty | * |
| Coturn | Ubuntu | xenial | * |
Potential Mitigations
References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQZZPI34LAS3SFNW6Z2ZJ46RKVGEODNA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUVZRXW5ZIGWVKOLF3NPXRPP74YX7BUY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XN2NK6FT7AMW5UIZNXDNHKEAYWAUMGSF/
- https://talosintelligence.com/vulnerability_reports/TALOS-2020-0985
- https://usn.ubuntu.com/4415-1/
- https://www.debian.org/security/2020/dsa-4711
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQZZPI34LAS3SFNW6Z2ZJ46RKVGEODNA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUVZRXW5ZIGWVKOLF3NPXRPP74YX7BUY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XN2NK6FT7AMW5UIZNXDNHKEAYWAUMGSF/
- https://talosintelligence.com/vulnerability_reports/TALOS-2020-0985
- https://usn.ubuntu.com/4415-1/
- https://www.debian.org/security/2020/dsa-4711