codeql/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.qhelp at 7afe3972d821de0c96d933a21642baa560597261 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<!DOCTYPE qhelp PUBLIC
  "-//Semmle//qhelp//EN"
  "qhelp.dtd">
<qhelp>

<overview>
<p>Sockets can be used to communicate
with other machines on a network.
You can use the (IP address, port) pair
to define the access restrictions for the socket you create.
When using the built-in Python <code>socket</code> module
(for instance, when building a message sender service
or an FTP server data transmitter),
one has to bind the port to some interface.
When you bind the port to all interfaces
using <code>0.0.0.0</code> as the IP address,
you essentially allow it to accept connections from any IPv4 address
provided that it can get to the socket via routing.
Binding to all interfaces is therefore associated with security risks.</p>
</overview>

<recommendation>
<p>Bind your service incoming traffic only to a dedicated interface.
If you need to bind more than one interface
using the built-in <code>socket</code> module,
create multiple sockets (instead of binding to one socket to all interfaces).</p>
</recommendation>

<example>
<p>In this example, two sockets are insecure because they are bound to all interfaces;
one through the <code>0.0.0.0</code> notation
and another one through an empty string <code>''</code>.
</p>
<sample src="BindToAllInterfaces.py" />
</example>

<references>
    <li>Python reference: <a href="https://docs.python.org/3/library/socket.html#socket-families">
    Socket families</a>.</li>
    <li>Python reference: <a href="https://docs.python.org/3.7/howto/sockets.html">
    Socket Programming HOWTO</a>.</li>
    <li>Common Vulnerabilities and Exposures: <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1281">
    CVE-2018-1281 Detail</a>.</li>
</references>
</qhelp>