Bugs in the VoIP traffic facilitator could lead to ‘unforeseen consequences’

CoTURN, an open source TURN server that powers VoIP platforms, has issued a software update after the discovery of denial-of-service and memory corruption vulnerabilities.

The flaws, which arise from how CoTURN’s web server parses POST requests, can lead to VoIP systems being disabled or, in the worst-case scenario, being taken over by attackers.

The bugs were discovered by Aleksandar Nikolic, security researcher at Cisco Talos Intelligence Group, in the product’s web server, according to a blog post by Talos.

CoTURN can be used as a general-purpose TURN server, which funnels VoIP traffic through corporate firewalls and into enterprise networks. Its web server is included for administrative purposes.

The memory corruption flaw (CVE-2020-6061) is a high risk (CVSS 7.0) heap overflow vulnerability caused in the way POST requests are parsed through the CoTURN web server.

“A specially crafted HTTP POST request can lead to information leaks and other misbehavior,” reads the vulnerability report.

“An attacker needs to send an HTTPS request to trigger this vulnerability.”

The potential threat actor triggers the vulnerability by controlling “how much the data pointer gets incremented,” Talos said.

“Also, the content length header controls the allocation size,” it added.

“By aligning those two, we can have the while loop skip till the actual end of the data buffer which would result in a large out of bounds access.”

Successful exploitation can cause additional memory corruption, access to sensitive information, and “other unforeseen consequences”, Talos said.

A specially crafted HTTP POST request can also exploit the medium risk (CVSS 5.9) denial-of-service vulnerability (CVE-2020-6062), leading to server crash and denial-of-service, a second bug report from Talos explains.

“Function strtok_r can return a NULL value if the left hand side of the split is empty,” Talos said.

“This NULL pointer is subsequently used in a call to strdup, which will result in a NULL pointer dereference, resulting in a process crash and denial-of-service.”

Both flaws affect CoTURN

The vendor was notified of the bugs on February 11 and patched them on February 17, according to Talos.

The Daily Swig has contacted CoTURN for further information.

YOU MIGHT ALSO LIKE Web cache deception named top web hacking technique of 2019