CVE-2021-21382 – Unsafe loopback forwarding interface in Restund

https://notcve.org/view.php?id=CVE-2021-21382

Restund is an open source NAT traversal server. The restund TURN server can be instructed to open a relay to the loopback address range. This allows you to reach any other service running on localhost which you might consider private. In the configuration that we ship (https://github.com/wireapp/ansible-restund/blob/master/templates/restund.conf.j2#L40-L43) the `status` interface of restund is enabled and is listening on `127.0.0.1`.The `status` interface allows users to issue administrative commands to `restund` like listing open relays or draining connections. It would be possible for an attacker to contact the status interface and issue administrative commands by setting `XOR-PEER-ADDRESS` to `127.0.0.1:{{restund_udp_status_port}}` when opening a TURN channel. • https://docs.wire.com/understand/restund.html https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p https://github.com/wireapp/ansible-restund/blob/master/templates/restund.conf.j2#L40-L43 https://github.com/wireapp/restund/pull/7 https://github.com/wireapp/restund/security/advisories/GHSA-96j5-w9jq-pv2x https://talosintelligence.com/vulnerability_reports/TALOS-2018-0732 https://www.rtcsec.com/post/2021/01/details-about-cve-2020-26262-bypass-of-coturns-default-access-control- • CWE-668: Exposure of Resource to Wrong Sphere CWE-862: Missing Authorization •