Vulnerability in Azure App Service exposed hundreds of source code repositories
A vulnerability in Microsoft Corp.’s Azure App Service has been found to expose hundreds of source code repositories.
Discovered by security researchers at Wiz Inc. and detailed Dec. 21, the vulnerability, dubbed “NotLegit,” involves insecure default behavior in the Azure App Service. The vulnerability, which has existed since September 2017, exposed the source code of customer applications written in PHP, Python, Ruby or Node that were deployed using “Local Git.”
Azure App Service, also known as Azure Web Apps, is a cloud computing-based platform for hosting websites and web applications. There are multiple ways to deploy source code and artifacts to the Azure App Service, Local Git being one. A customer initiates a Local Git repository with the Azure App Service container and pushes the code straight to the server.
The use of Local Git is where the issue arises. Where the Local Git deployment method was used to deploy to the Azure App Service, the git repository was created within a publicly accessible directly that anyone could access.
Described by the researchers as a quirk unique to Microsoft, to protect files a web.config file was added to the git folder within the public directory to restrict public access. However, only Microsoft’s IIS web server handles web.config files — which works fine with C# and ASP.NET deployed with IIS, but not with different web servers.
With PHP, Ruby, Python and Node, deployments typically use webservers such as Apache, Nginx and Flask, which do not handle web.config files. As such, no protection was provided and the source code was exposed to all and sundry.
The Wiz researchers reported the security flaw to Microsoft on Oct. 7 and it has now been mitigated. That said, they warn that small groups of customers could still be potentially exposed and should take certain actions to protect their applications. Those affected were emailed notifications by Microsoft based on their configuration between Dec. 7 and Dec. 15.
Microsoft also granted Wiz a $7,500 bounty for their efforts, which the company plans to donate.
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.