A flaw in Microsoft Azure App Service exposes customer source code

A vulnerability in the Microsoft Azure App Service led to the exposure of customer source code for at least four years.

Early this month, Microsoft has notified a small group of Azure customers that have been impacted by a recently discovered bug, dubbed NotLegit, that exposed the source code of their Azure web apps since at least September 2017.

The NotLegit vulnerability was likely exploited by threat actors in attacks in the wild.

The flaw was discovered by researchers from the Wiz Research Team, it is insecure default behavior in the Azure App Service that exposed the source code of customer applications written in PHP, Python, Ruby, or Node, that were deployed using “Local Git”.

The vulnerability was discovered by security firm Wiz, which reported the bug to Microsoft in September. The issue was fixed in November.

The vulnerability resides in Azure App Service, which is a cloud platform for hosting websites and web applications.

Azure supports multiple methods to deploy source code and artifacts to the Azure App service, including the “Local Git”. The “Local Git” allows developers to initiate a local Git repository within the Azure App Service container that enables them to push their code straight to the server.

Only customers that selected the “Local Git” option to deploy their websites from a Git repository hosted on the same Azure server were impacted and their source code was also exposed online.

Every PHP, Node, Ruby, and Python application deployed on Linux-based Azure servers using this method was impacted. Apps hosted on Windows Server systems were not impacted.

“MSRC was informed by Wiz.io, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue where customers can unintentionally configure the .git folder to be created in the content root, which would put them at risk for information disclosure. This, when combined with an application configured to serve static content, makes it possible for others to download files not intended to be public.” reads the advisory published by Microsoft.

Wiz Research Team speculates the attack was exploited in the wild. The experts deployed a vulnerable Azure App Service app, linked it to an unused domain, and within four days they saw the first attempts made by threat actors to access the contents of the exposed source code folder.

Microsoft fixed the issue by updating all PHP images to disallow serving the .git folder as static content as a defense in-depth measure.

The IT giant granted Wiz a $7,500 bounty for reporting this flaw, and the security firm has announced that it plans to donate the reward.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, azure app service)

[adrotate banner=”5″]

[adrotate banner=”13″]