Socket Binding To All Interfaces
ID |
python.socket_binding_to_all_interfaces |
Severity |
high |
Resource |
Access Control |
Language |
Python |
Tags |
CWE:200, NIST.SP.800-53, PCI-DSS:6.5.6 |
Description
Socket binding to all interfaces occurs when a network service is configured to listen on all available network interfaces, potentially exposing it to unauthorized access.
Rationale
Binding a socket to all interfaces (e.g., using IP address 0.0.0.0) can expose the service to external networks, increasing the risk of unauthorized access or exploitation, particularly if the service is not intended to be publicly accessible.
Here’s an example of socket binding to all interfaces in Python:
import socket
server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_socket.bind(('0.0.0.0', 8080)) # FLAW
server_socket.listen()Remediation
To remediate this issue, bind the socket to a specific interface IP address, such as 127.0.0.1 for local-only access, or another appropriate internal network IP.
Here’s how you can implement secure host key verification:
import socket
server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_socket.bind(('127.0.0.1', 8080)) # Secure: Binding to local interface only
server_socket.listen()References
-
CWE-200 : Exposure of Sensitive Information to an Unauthorized Actor.