A flaw in Microsoft Azure App Service exposes customer source code

A vulnerability in the Microsoft Azure App Service led to the exposure of customer source code for at least four years.

Early this month, Microsoft has notified a small group of Azure customers that have been impacted by a recently discovered bug, dubbed NotLegit, that exposed the source code of their Azure web apps since at least September 2017.

The NotLegit vulnerability was likely exploited by threat actors in attacks in the wild.

The flaw was discovered by researchers from the Wiz Research Team, it is insecure default behavior in the Azure App Service that exposed the source code of customer applications written in PHP, Python, Ruby, or Node, that were deployed using “Local Git”.

The vulnerability was discovered by security firm Wiz, which reported the bug to Microsoft in September. The issue was fixed in November.

The vulnerability resides in Azure App Service, which is a cloud platform for hosting websites and web applications.

Azure supports multiple methods to deploy source code and artifacts to the Azure App service, including the “Local Git”. The “Local Git” allows developers to initiate a local Git repository within the Azure App Service container that enables them to push their code straight to the server.

Only customers that selected the “Local Git” option to deploy their websites from a Git repository hosted on the same Azure server were impacted and their source code was also exposed online.

Every PHP, Node, Ruby, and Python application deployed on Linux-based Azure servers using this method was impacted. Apps hosted on Windows Server systems were not impacted.

“MSRC was informed by Wiz.io, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue where customers can unintentionally configure the .git folder to be created in the content root, which would put them at risk for information disclosure. This, when combined with an application configured to serve static content, makes it possible for others to download files not intended to be public.” reads the advisory published by Microsoft.

Wiz Research Team speculates the attack was exploited in the wild. The experts deployed a vulnerable Azure App Service app, linked it to an unused domain, and within four days they saw the first attempts made by threat actors to access the contents of the exposed source code folder.

Microsoft fixed the issue by updating all PHP images to disallow serving the .git folder as static content as a defense in-depth measure.

The IT giant granted Wiz a $7,500 bounty for reporting this flaw, and the security firm has announced that it plans to donate the reward.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, azure app service)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.