CVE-2020-6062: 
NixOS vulnerability analysis and mitigation

CVE-2020-6062 is a denial-of-service vulnerability discovered in CoTURN version 4.5.1.1's web server component, specifically in how it parses POST requests. The vulnerability was discovered by Aleksandar Nikolic of Cisco Talos and was publicly disclosed on February 18, 2020. The affected software, CoTURN, is a TURN server implementation that can be used as a general-purpose network traffic TURN server and gateway (Talos).

The vulnerability exists in the code responsible for parsing POST request body variables. When processing key/value pairs from POST request body into a dictionary, the strtok_r function can return a NULL value if the left hand side of the split is empty. This NULL pointer is subsequently used in a call to strdup, resulting in a NULL pointer dereference and process crash. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by NIST and 5.9 (MEDIUM) by Talos, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, Talos).

When exploited, this vulnerability can lead to a server crash and denial of service. The attack can be triggered by sending a specially crafted HTTP POST request to the affected server, making it relatively straightforward to exploit (Talos).

The vulnerability was patched in subsequent releases. Various Linux distributions have released security updates to address this issue: Ubuntu has released fixes for versions 16.04 ESM, 18.04 ESM, 19.10, and 20.04 LTS; Debian has patched versions 9.0 and 10.0; and Fedora has released updates for versions 30, 31, and 32 (Ubuntu, Debian, Fedora).