uWSGI Unauthorized Access Vulnerability
Description
uWSGI is a widely-used web application server that supports multiple protocols including WSGI, uwsgi, and HTTP. A critical vulnerability exists when the uWSGI protocol port is exposed to untrusted networks. Attackers can exploit this by sending specially crafted uwsgi protocol packets containing magic variables, specifically UWSGI_FILE, to execute arbitrary system commands through the exec:// protocol handler.
This vulnerability was confirmed on the target system where uWSGI port 8000 is publicly accessible and accepts unauthenticated uwsgi protocol requests, allowing remote code execution without any authentication.
Remediation
Immediately restrict access to the uWSGI protocol port to prevent unauthorized exploitation. Implement the following remediation steps:
1. Configure uWSGI to listen only on localhost:
Modify your uWSGI configuration to bind exclusively to the local interface. In your uWSGI configuration file (e.g., uwsgi.ini):
[uwsgi] socket = 127.0.0.1:8000 # or use unix socket for better security # socket = /tmp/uwsgi.sock
2. Use a reverse proxy:
Deploy a web server like Nginx or Apache as a reverse proxy in front of uWSGI to handle external requests. Example Nginx configuration:
upstream uwsgi_backend {
server 127.0.0.1:8000;
}
server {
listen 80;
location / {
include uwsgi_params;
uwsgi_pass uwsgi_backend;
}
}3. Implement network-level controls:
Configure firewall rules to block external access to the uWSGI port. Only allow connections from trusted sources (e.g., the reverse proxy server).
4. Verify the configuration:
After making changes, confirm that the uWSGI port is not accessible from external networks by testing connectivity and reviewing firewall rules.