CVE-2021-21382: 
Homebrew vulnerability analysis and mitigation

CVE-2021-21382 affects Restund, an open source NAT traversal server. The vulnerability was discovered in versions prior to 0.4.15 and patched in version 0.4.15. The issue allows attackers to relay traffic to loopback addresses, potentially exposing private services running on localhost (Wire Docs, GitHub Advisory).

The vulnerability exists in the TURN server functionality where the server can be instructed to open a relay to the loopback address range. An attacker could contact the status interface and issue administrative commands by setting XOR-PEER-ADDRESS to 127.0.0.1:{{restundudpstatus_port}} when opening a TURN channel. The CVSS score is 9.6 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) (NVD).

The vulnerability allows attackers to reach any service running on localhost which might be considered private. In the default configuration, the status interface of restund is enabled and listening on 127.0.0.1, allowing attackers to issue administrative commands to restund like listing open relays or draining connections (GitHub Advisory).

The vulnerability was patched in version 0.4.15 by explicitly disallowing relaying to loopback addresses, 'any' addresses, link local addresses, and the broadcast address. As workarounds, users can: 1) Disable the status module in restund configuration, 2) Disable the turn module (though restund will still perform STUN), 3) Set up firewall rules to prevent relaying to unwanted addresses. TURN servers should ideally be deployed in an isolated fashion where they can only reach what they need for NAT traversal (GitHub Advisory).