Binding to an unrestricted IP address
Description
Binding to all network interfaces can potentially open up a service to traffic on unintended interfaces, that may not be properly documented or secured. By passing "0.0.0.0", "::" or an empty string as the address to the `socket.bind` function, the application will bind to all interfaces.
Examples
Insecure Code
python
sock.bind(("0.0.0.0", 9777))Secure Code
python
address = os.getenv("IP_ADDRESS", "127.0.0.1")
sock.bind((address, 9777))Remediation
Pass the interface IP address through an environment variable, configuration file, or determine the primary interface(s) IP address. For example, get the IP address from an environment variable `IP_ADDRESS`.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0113 |
| Category | InsecureConfig |
| Severity | LOW |
| CWE | CWE-1327 |
| Confidence | HIGH |
| Impact | LOW |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | network, interface |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |