Vulnerability in Azure App Service exposed hundreds of source code repositories

Drop us a message

Since September 2017, a security issue in Microsoft’s Azure App Service has exposed the source code of customer applications written in Java, Node, PHP, Python, and Ruby for at least four years. Wiz researchers revealed the vulnerability, codenamed “NotLegit,” to the tech giant on October 7, 2021, following mitigating efforts to fix the information exposure flaw in November.

Microsoft stated that only a “small group of customers” were affected, adding that “customers that deployed code to App Service Linux via Local Git after building application files were the only customers affected.”

Azure App Service (formerly Azure Online Apps) is a cloud-based platform for developing and hosting web applications. It enables users to deploy source code and artifacts to a service through a local Git repository or repositories hosted on GitHub and Bitbucket.

The problem comes with the use of Local Git. When using the Local Git deployment technique to deploy to the Azure App Service, the Git repository was generated in a publicly available direct that anybody may view.

Mitigation

Microsoft did initially deploy mitigation, in the form of adding a “web. config” file to the Git folder within the public directory, which restricted public access; however, this appears to be an imperfect remedy.

According to Wiz, “only Microsoft’s IIS web server handles web. config files.” “However, if you use PHP, Ruby, Python, or Node…these programming languages are deployed with various webservers (Apache, Nginx, Flask, and so on) that do not handle web. config files, leaving them unaffected by the mitigation and hence entirely exposed.”

Wiz reported the lingering flaw to Microsoft in October and was paid a $7,500 incentive for the discovery; the computer giant distributed updates to impacted users through email between December 7 and 15.

Exposed Git Folder Risk

Researchers noted that because Git folders are frequently accidentally exposed due to misconfiguration (rather than vulnerabilities, as in this case), fraudsters are on the watch for them.

They stated, “An exposed Git folder is a typical security risk that individuals make without even recognizing it.” “Hackers are constantly scouring the internet for exposed Git folders where they can steal secrets and intellectual property.”

Wiz tested exploitation by deploying a susceptible Azure App Service application and linking it to an unused domain.

“[We] carefully waited to see whether anyone attempted to access the Git files,” they explained. “We were not shocked to find many requests for the Git folder from unknown actors within four days of deployment….this exploitation approach is actively being exploited.”

Measures Taken By Microsoft

After this issue, Microsoft made the following steps:

  • All PHP images to be modified to prevent serving the git folder as static content, as a defense in depth strategy.
  • Customers impacted by the activation of in-place deployment were notified and given specific instructions on how to resolve the problem. Customers who had the git folder uploaded to the content directors also were notified.
  • A section on safeguarding source code to Security Recommendations document was added. In addition, the documentation for in-place deployments has been updated.

Rogue Logics provides in-depth security services for the assessment and protection of your application, data, and infrastructure against potential threats on-prem or in the cloud.

Want a consultation with the professionals at Rogue Logics? contact us and get a free quote.

Drop us a message

Drop us a message

Get Free Audit Report