Open 000xxx opened 1 month ago
I'm getting the impression that denying relay access to local addresses is more than just a workaround for this ancient CVE. It's a way to prevent Coturn from potentially relaying traffic to other (nearby) network services on the LAN network or container network.
Coturn may have other security measures against this (perhaps it only attempts to forward traffic to "existing known peers" and will not forward traffic to any random LAN service?), but it feels safer to outright forbid this traffic anyway.
I may be misunderstanding something. If anyone knows better, please share more details!
Describe the bug Coturn version 4.6.2, which is currently in use, was already patched for the vulnerabilities described in CVE-2020-26262 with version 4.5.2. The January 2023 changes, which tighten Coturn security by blocking relaying to private IP subnets, seem unnecessary given the upstream fixes. These changes introduce unnecessary restrictions (specifically the default blocklist in
matrix_coturn_denied_peer_ips
), causing Coturn to stop functioning properly in environments that require relaying to private IP addresses. I was able to resolve the issue by overriding the matrix_coturn_denied_peer_ips variable.This suggests that the additional restrictions introduced in the Changelog from January 2023 may be redundant and could be reconsidered for removal, as they negatively affect functionality for users running Coturn 4.5.2 or later.
To Reproduce My
vars.yml
file looks like this:matrix_coturn_denied_peer_ips: []
To reproduce the issue, use the default settings with Coturn 4.6.2 and try relaying traffic through private IPs while these unnecessary blocklists are in place.
Expected behavior Coturn should relay traffic as expected without blocking private IP ranges unnecessarily, especially after the upstream fix in version 4.5.2.
Matrix Server:
Ansible:
Additional context The upstream fix for CVE-2020-26262 was released in January 2021, and Coturn version 4.5.2 (which includes the necessary patches) is stable. Overriding the default
matrix_coturn_denied_peer_ips
resolves any issues I encountered with Coturn functionality.