search

spantaleev / matrix-docker-ansible-deploy

🐳 Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker
GNU Affero General Public License v3.0
4.83k stars 1.04k forks source link

Coturn 4.5.2 and matrix_coturn_denied_peer_ips #3627

Open 000xxx opened 1 week ago

000xxx commented 1 week ago

Describe the bug Coturn version 4.6.2, which is currently in use, was already patched for the vulnerabilities described in CVE-2020-26262 with version 4.5.2. The January 2023 changes, which tighten Coturn security by blocking relaying to private IP subnets, seem unnecessary given the upstream fixes. These changes introduce unnecessary restrictions (specifically the default blocklist in matrix_coturn_denied_peer_ips), causing Coturn to stop functioning properly in environments that require relaying to private IP addresses. I was able to resolve the issue by overriding the matrix_coturn_denied_peer_ips variable.

This suggests that the additional restrictions introduced in the Changelog from January 2023 may be redundant and could be reconsidered for removal, as they negatively affect functionality for users running Coturn 4.5.2 or later.

To Reproduce My vars.yml file looks like this:

matrix_coturn_denied_peer_ips: []

To reproduce the issue, use the default settings with Coturn 4.6.2 and try relaying traffic through private IPs while these unnecessary blocklists are in place.

Expected behavior Coturn should relay traffic as expected without blocking private IP ranges unnecessarily, especially after the upstream fix in version 4.5.2.

Matrix Server:

Ansible:

Ansible version: 2.16.0

Additional context The upstream fix for CVE-2020-26262 was released in January 2021, and Coturn version 4.5.2 (which includes the necessary patches) is stable. Overriding the default matrix_coturn_denied_peer_ips resolves any issues I encountered with Coturn functionality.

spantaleev commented 4 days ago

I'm getting the impression that denying relay access to local addresses is more than just a workaround for this ancient CVE. It's a way to prevent Coturn from potentially relaying traffic to other (nearby) network services on the LAN network or container network.

Coturn may have other security measures against this (perhaps it only attempts to forward traffic to "existing known peers" and will not forward traffic to any random LAN service?), but it feels safer to outright forbid this traffic anyway.

I may be misunderstanding something. If anyone knows better, please share more details!