Socket Binding To All Interfaces
ID |
go.socket_binding_to_all_interfaces |
Severity |
high |
Resource |
Access Control |
Language |
Go |
Tags |
CWE:200, NIST.SP.800-53, PCI-DSS:6.5.6 |
Description
Socket binding to all interfaces occurs when a network service is configured to listen on all available network interfaces, potentially exposing it to unauthorized access.
Rationale
Binding a socket to all interfaces (e.g., using IP address 0.0.0.0) can expose the service to external networks, increasing the risk of unauthorized access or exploitation, particularly if the service is not intended to be publicly accessible.
Here’s an example of socket binding to all interfaces for Golang:
package socket_binding_to_all_interfaces
import (
"log"
"net"
)
func main() {
l, err := net.Listen("tcp", "0.0.0.0:3000") // FLAW
if err != nil {
log.Fatal(err)
}
defer l.Close()
}Remediation
To remediate this issue, bind the socket to a specific interface IP address, such as 127.0.0.1 for local-only access, or another appropriate internal network IP.
Here’s how you can implement the remediation:
package socket_binding_to_all_interfaces
import (
"log"
"net"
)
func main() {
l, err := net.Listen("tcp", "127.0.0.1:3000")
if err != nil {
log.Fatal(err)
}
defer l.Close()
}References
-
CWE-200 : Exposure of Sensitive Information to an Unauthorized Actor.