SB2020070620 - Ubuntu update for coturn 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020070620

SB2020070620 - Ubuntu update for coturn

Published: July 6, 2020 Updated: April 23, 2025

Security Bulletin ID SB2020070620
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Improper Initialization (CVE-ID: CVE-2020-4067)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. There is a leak of information between different client connections. One client (an attacker) could use their connection to intelligently query coturn to get interesting bytes in the padding bytes from the connection of another client. This has been fixed in 4.5.1.3.


2) Heap-based buffer overflow (CVE-ID: CVE-2020-6061)

The vulnerability allows a remote attacker to cause information leaks and other misbehavior.

The vulnerability exists due to a boundary error when web server parses POST requests. A remote attacker can send a specially crafted HTTPS request, trigger heap-based buffer overflow and cause information leaks and other misbehavior.



3) NULL pointer dereference (CVE-ID: CVE-2020-6062)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when web server parses POST requests. A remote attacker can send a specially crafted HTTP request and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References