Microsoft announced that it has notified some Azure users affected by a bug that exposes the source code of Azure web apps since September 2017.
MSRC has been notified by cloud security vendor Wiz.io that a Coordinated Vulnerability Disclosure (CVD) allows customers to unintentionally create . git folder in the content root without intending to do so, posing a risk of information leakage. When combined with applications configured to serve static content, it is possible for others to download files that are not intended to be published. We have notified a limited subset of customers who we believe are at risk from this issue and will work with them to ensure their applications are secure.
This vulnerability was discovered by cloud security firm Wiz and reported to Microsoft in September 2021. The issue was fixed in November, but Microsoft is still investigating how many customers were affected during this time.
Vulnerability Affects Azure’s Website Hosting Capabilities
The vulnerability, nicknamed “NotLegit,” exists in the Azure App Service, a feature of the Azure cloud that allows customers to deploy websites and web apps from a source code repository.
Wiz researchers found that the source code was also published online in a situation where an Azure customer selected the “Local Git” option and deployed a website from a Git repository hosted on the same Azure server.
All PHP, Node, Ruby and Python applications deployed in this manner were affected, Microsoft said in a blog post. Only applications deployed on Linux-based Azure servers were affected, while applications hosted on Windows Server systems were not.
Apps deployed as far back as 2013 were affected, but the data breach began in September 2017, when a vulnerability was introduced in Azure’s systems, the Wiz team said in a report.
The Wiz research team discovered that the insecure default behavior of Azure App Service exposed the source code of customer applications written in PHP, Python, Ruby, and Node that were deployed using “Local Git”. Written in PHP, Python, Ruby, and Node, deployed using “Local Git”, we discovered that the source code of customer applications is exposed. This vulnerability, which we dubbed “NotLegit”, has existed since September 2017 and has likely been exploited in the real world.
Wiz reported this security flaw to Microsoft on October 7, 2021, and it has been fixed to date. Smaller groups of customers are still potentially exposed and should take specific user actions to protect their applications as detailed in several email alerts issued by Microsoft between December 7-15, 2021.
Vulnerability has likely been exploited
The most dangerous disclosure scenario is a situation where the published source code contains a .git configuration file, which itself contains passwords and access tokens for other customer systems such as databases and APIs.
For the past decade, multiple botnets have been constantly scanning the Internet for accidentally published .git files, knowing that their contents would give attackers access to more valuable corporate infrastructure.
Shir Tamari, head of research at Wiz, said he thinks it is very likely that this vulnerability was exploited indirectly.
Tamari said he created an insecure Azure-hosted website for testing purposes and saw five different attackers access the exposed source code and .git configuration files in a four-hour period.
Comments