CVE-2021-21382

Unsafe loopback forwarding interface in Restund

Severity Score

9.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Restund is an open source NAT traversal server. The restund TURN server can be instructed to open a relay to the loopback address range. This allows you to reach any other service running on localhost which you might consider private. In the configuration that we ship (https://github.com/wireapp/ansible-restund/blob/master/templates/restund.conf.j2#L40-L43) the `status` interface of restund is enabled and is listening on `127.0.0.1`.The `status` interface allows users to issue administrative commands to `restund` like listing open relays or draining connections. It would be possible for an attacker to contact the status interface and issue administrative commands by setting `XOR-PEER-ADDRESS` to `127.0.0.1:{{restund_udp_status_port}}` when opening a TURN channel. We now explicitly disallow relaying to loopback addresses, 'any' addresses, link local addresses, and the broadcast address. As a workaround disable the `status` module in your restund configuration. However there might still be other services running on `127.0.0.0/8` that you do not want to have exposed. The `turn` module can be disabled. Restund will still perform STUN and this might already be enough for initiating calls in your environments. TURN is only used as a last resort when other NAT traversal options do not work. One should also make sure that the TURN server is set up with firewall rules so that it cannot relay to other addresses that you don't want the TURN server to relay to. For example other services in the same VPC where the TURN server is running. Ideally TURN servers should be deployed in an isolated fashion where they can only reach what they need to reach to perform their task of assisting NAT-traversal.

Restund es un servidor de salto NAT de código abierto. El servidor TURN de Restund puede ser instruido para abrir un relé al rango de direcciones loopback. Esto le permite llegar a cualquier otro servicio que se ejecute en localhost y que pueda considerar privado. En la configuración que enviamos (https://github.com/wireapp/ansible-restund/blob/master/templates/restund.conf.j2#L40-L43) la interfaz "status" de restund está habilitada y está escuchando en "127.0.0.1". La interfaz "status" permite a los usuarios emitir comandos administrativos a "restund" como listar los relés abiertos o drenar las conexiones. Sería posible para un atacante contactar con la interfaz de estado y emitir comandos administrativos estableciendo el parámetro "XOR-PEER-ADDRESS" en "127.0.0.1:{{restund_udp_status_port}} al abrir un canal TURN. Ahora desestimamos explícitamente la retransmisión a direcciones de bucle invertido, direcciones "any", direcciones locales de enlace y la dirección de difusión. Como solución, desactive el módulo "status" en su configuración de Restund. Sin embargo, es posible que haya otros servicios que se ejecuten en "127.0.0.0/8" que no quieras que estén expuestos. El módulo "turn" puede ser deshabilitado. Restund seguirá llevando a cabo STUN y esto podría ser suficiente para iniciar llamadas en sus entornos. TURN es sólo usado como último recurso cuando otras opciones de salto de NAT no funcionan. También hay que asegurarse de que el servidor TURN está configurado con reglas de firewall para que no pueda retransmitir a otras direcciones a las que no quieres que el servidor TURN retransmita. Por ejemplo, otros servicios en la misma VPC donde se ejecuta el servidor TURN. Lo, ID de Android:eal es que los servidores TURN se desplieguen de forma aislada donde sólo puedan alcanzar lo que necesitan para llevar a cabo su tarea de asistir al salto del NAT

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-22 CVE Reserved
2021-06-11 CVE Published
2024-07-14 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-668: Exposure of Resource to Wrong Sphere
CWE-862: Missing Authorization

CAPEC

References (7)

URL	Tag	Source
https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p	Not Applicable
https://www.rtcsec.com/post/2021/01/details-about-cve-2020-26262-bypass-of-coturns-default-access-control-protection/#further-concerns-what-else	Not Applicable

URL	Date	SRC
https://github.com/wireapp/ansible-restund/blob/master/templates/restund.conf.j2#L40-L43	2024-08-03
https://github.com/wireapp/restund/pull/7	2024-08-03
https://github.com/wireapp/restund/security/advisories/GHSA-96j5-w9jq-pv2x	2024-08-03
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0732	2024-08-03

URL	Date	SRC

URL	Date	SRC
https://docs.wire.com/understand/restund.html	2022-10-21

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wire Search vendor "Wire"		Restund Search vendor "Wire" for product "Restund"				< 0.4.15 Search vendor "Wire" for product "Restund" and version " < 0.4.15"		-		Affected