Multiple Binds to the Same Port

Draft Variant

Structure: Simple

Description

This vulnerability occurs when a system's socket configuration allows multiple applications to bind to the same network port simultaneously. This can let a malicious process hijack or impersonate legitimate services running on that port.

Extended Description

The core of the issue lies in the SO_REUSEADDR socket option. On most operating systems, when this option is set, the bind() system call allows a new process to bind to a port even if it's already in use by another process that bound to INADDR_ANY (all interfaces). This effectively bypasses the typical port reservation mechanism. As a result, an attacker can create a socket that binds specifically to the server's IP address on an unprivileged port. This lets them intercept or 'steal' incoming UDP packets or TCP connection requests intended for the original, legitimate service, leading to denial of service, data theft, or spoofing attacks.

Common Consequences 1

Scope: ConfidentialityIntegrity

Impact: Read Application Data

Packets from a variety of network services may be stolen or the services spoofed.

Potential Mitigations 1

Phase: Policy

Restrict server socket address to known local addresses.

Demonstrative Examples 1

ID : DX-184

This code binds a server socket to port 21, allowing the server to listen for traffic on that port.

Code Example:

Bad

/unlink the socket if already bound to avoid an error when bind() is called/*

This code may result in two servers binding a socket to same port, thus receiving each other's traffic. This could be used by an attacker to steal packets meant for another process, such as a secure FTP server.

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Implementation

Operation

Related Weaknesses

ChildOf:

Multiple Operations on Resource in Single-Operation Context (CWE-675)

ChildOf:

Operation on Resource in Wrong Phase of Lifetime (CWE-666)

Taxonomy Mapping

Software Fault Patterns