Talos Coturn vulnerabilities

CVE-2018-4059 [CRITICAL] CWE-862 CVE-2018-4059: An exploitable unsafe default configuration vulnerability exists in the TURN server function of coTU An exploitable unsafe default configuration vulnerability exists in the TURN server function of coTURN prior to version 4.5.0.9. By default, the TURN server runs an unauthenticated telnet admin portal on the loopback interface. This can provide administrator access to the TURN server configuration, which can lead to additional attacks. An attacker w

CVE-2018-4058 [HIGH] CVE-2018-4058: An exploitable unsafe default configuration vulnerability exists in the TURN server functionality of An exploitable unsafe default configuration vulnerability exists in the TURN server functionality of coTURN prior to 4.5.0.9. By default, the TURN server allows relaying external traffic to the loopback interface of its own host. This can provide access to other private services running on that host, which can lead to further attacks. An attacker can set up a r

CVE-2018-4056 [CRITICAL] CWE-89 CVE-2018-4056: An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN prior to version 4.5.0.9. A login message with a specially crafted username can cause an SQL injection, resulting in authentication bypass, which could give access to the TURN server administrator web portal. An attacker can log in via the external in