SB2026010712 - Usage of weak PRNG in coTURN

Description

This security bulletin contains information about 1 vulnerability.

1) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CVE-ID: CVE-2025-69217)

CWE-ID: CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to usage of bad random number generator for nonces and port randomization after refactoring. A remote attacker can send 50 unauthenticated allocations requests and completely reconstruct the current state of the random number generator, leading to spoofing. authentication bypass and denial of service. 

Remediation

Install update from vendor's website.

References

• https://github.com/coturn/coturn/releases/tag/4.8.0
• https://github.com/coturn/coturn/commit/11fc465f4bba70bb0ad8aae17d6c4a63a29917d9
• https://github.com/coturn/coturn/commit/88ced471385869d7e7fbbc4766e78ef521b36af6
• https://github.com/coturn/coturn/security/advisories/GHSA-fvj6-9jhg-9j84