In a statement, Microsoft’s Security Response Center (MSRC) has confirmed a NotLegit bug in the Azure cloud that may have exposed the data of several of its users. Microsoft’s validation came after the research division of cloud security vendor Wiz, an 18-month-old Israeli security startup, detected an insecure default behavior in the Azure App Service (aka Azure Web Apps).
The bug exposed the source code of customer applications written in PHP, Python, Ruby, or Node, deployed using “Local Git”.
Microsoft did not explicitly mention that the vulnerability has been exploited. However, Wiz notes that the four-year-old vulnerability has undoubtedly been exploited in the wild as a Zero-day.
According to Microsoft, not all users of Local Git were impacted. The users who deployed code to App Service Linux via Local Git after files were already created in the application were the only affected customers. Microsoft has notified the customers whom the company believed could be at risk.’
What you need to know
Wiz informed they reported this issue to Microsoft on October 7th, 2021, where customers can inadvertently configure the ‘git folder’ in the content root, putting their data at risk of hacking. It adds that while the fix was deployed in November, a small group of users could still be exposed and take proactive actions to protect their applications.
“As this exploitation method is straightforward, common, and is actively being exploited, we encourage all affected users to overview their application’s source code and evaluate the potential risk,” Wiz warned enterprise users in its blog. It says the following category of enterprises or customers is at risk:
- Users who deployed code via FTP or Web Deploy or Bash/SSH resulted in files getting initialized in the web app before any git deployment.
- Users who enabled LocalGit on the web app
- Users whom subsequent Git clone/push sequence to publish updates
Wiz reports that the only applications that were not impacted by this security flaw are IIS-based applications.
Microsoft’s response
Microsoft emailed different notifications to all impacted users based on their configuration between December 7th-15th, 2021. The IT major has also updated its Security Recommendations document with an additional section on securing source code and the documentation for in-place deployments.
Along with the above, Microsoft has also updated all PHP images to disallow serving the .git folder as static content as a defense-in-depth measure. In 2021, various vulnerabilities have been discovered in multiple Microsoft tools: Azure Cosmos DB, Exchange, Windows Print Spooler, and Trident.