Binding to an Unrestricted IP Address

The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.


Description

When a server binds to the address 0.0.0.0, it allows connections from every IP address on the local machine, effectively exposing the server to every possible network. This might be much broader access than intended by the developer or administrator, who might only be expecting the server to be reachable from a single interface/network.

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

The following code snippet uses 0.0.0.0 in a Puppet script.

signingserver::instance {

  "nightly-key-signing-server":
    listenaddr     => "0.0.0.0",
    port           => "9100",
    code_tag       => "SIGNING_SERVER",

  }

The Puppet code snippet is used to provision a signing server that will use 0.0.0.0 to accept traffic. However, as 0.0.0.0 is unrestricted, malicious users may use this IP address to launch frequent requests and cause denial of service attacks.

signingserver::instance {

  "nightly-key-signing-server":
    listenaddr     => "127.0.0.1",
    port           => "9100",
    code_tag       => "SIGNING_SERVER",

  }

See Also

Comprehensive Categorization: Exposed Resource

Weaknesses in this category are related to exposed resource.

Communication Channel Errors

Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or re...

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weakness Base Elements

This view (slice) displays only weakness base elements.


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.