From bb0faa6bc37be94f443fa9730f9af726f9ba1486 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 26 Jan 2023 17:15:44 +0200 Subject: [PATCH] Block various private network ranges via denied_peer_ips for Coturn by default Inspired by: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/ --- CHANGELOG.md | 11 +++++++ roles/custom/matrix-coturn/defaults/main.yml | 32 +++++++++++++++++++- 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e4607148c..b32958ca5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2023-01-26 + +## (Backward Compatibility) Tightening Coturn security can lead to connectivity issues + +**TLDR**: users who run and access their Matrix server on a private network (likely a small minority of users) may experience connectivity issues with our new default Coturn blocklists. They may need to override `matrix_coturn_denied_peer_ips` and remove some IP ranges from it. + +Inspired by [this security article](https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/), we've decided to make use of Coturn's `denied-peer-ip` functionality to prevent relaying network traffic to certain private IP subnets. This ensures that your Coturn server won't accidentally try to forward traffic to certain services running on your local networks. We run Coturn in a container and in a private container network by default, which should prevent such access anyway, but having additional block layers in place is better. + +If you access your Matrix server from a local network and need Coturn to relay to private IP addresses, you may observe that relaying is now blocked due to our new default `denied-peer-ip` lists (specified in `matrix_coturn_denied_peer_ips`). If you experience such connectivity problems, consider overriding this setting in your `vars.yml` file and removing certain networks from it. + + # 2023-01-21 ## The matrix-prometheus-node-exporter role lives independently now diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index 71c97b254..223d0d04e 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -69,7 +69,37 @@ matrix_coturn_turn_external_ip_address: '' matrix_coturn_turn_external_ip_addresses: ["{{ matrix_coturn_turn_external_ip_address }}"] matrix_coturn_allowed_peer_ips: [] -matrix_coturn_denied_peer_ips: [] + +# We block loopback interfaces and private networks by default to prevent private resources from being accessible. +# This is especially important when Coturn does not run within a container network (e.g. `matrix_coturn_docker_network: host`). +# +# Learn more: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/ +# +# If you're running Coturn for local network peers, you may wish to override these rules. +matrix_coturn_denied_peer_ips: + - 0.0.0.0-0.255.255.255 + - 10.0.0.0-10.255.255.255 + - 100.64.0.0-100.127.255.255 + - 127.0.0.0-127.255.255.255 + - 169.254.0.0-169.254.255.255 + - 172.16.0.0-172.31.255.255 + - 192.0.0.0-192.0.0.255 + - 192.0.2.0-192.0.2.255 + - 192.88.99.0-192.88.99.255 + - 192.168.0.0-192.168.255.255 + - 198.18.0.0-198.19.255.255 + - 198.51.100.0-198.51.100.255 + - 203.0.113.0-203.0.113.255 + - 240.0.0.0-255.255.255.255 + - ::1 + - 64:ff9b::-64:ff9b::ffff:ffff + - ::ffff:0.0.0.0-::ffff:255.255.255.255 + - 100::-100::ffff:ffff:ffff:ffff + - 2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + - 2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + - fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + - fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + matrix_coturn_user_quota: null matrix_coturn_total_quota: null