SECURITY
SECURITY
SECURITY
Vulnerability in Azure App Service exposed hundreds of source code repositories
A vulnerability in Microsoft Corp.’s Azure App Service has been found to expose hundreds of source code repositories.
Discovered by security researchers at Wiz Inc. and detailed Dec. 21, the vulnerability, dubbed “NotLegit,” involves insecure default behavior in the Azure App Service. The vulnerability, which has existed since September 2017, exposed the source code of customer applications written in PHP, Python, Ruby or Node that were deployed using “Local Git.”
Azure App Service, also known as Azure Web Apps, is a cloud computing-based platform for hosting websites and web applications. There are multiple ways to deploy source code and artifacts to the Azure App Service, Local Git being one. A customer initiates a Local Git repository with the Azure App Service container and pushes the code straight to the server.
The use of Local Git is where the issue arises. Where the Local Git deployment method was used to deploy to the Azure App Service, the git repository was created within a publicly accessible directly that anyone could access.
Described by the researchers as a quirk unique to Microsoft, to protect files a web.config file was added to the git folder within the public directory to restrict public access. However, only Microsoft’s IIS web server handles web.config files — which works fine with C# and ASP.NET deployed with IIS, but not with different web servers.
With PHP, Ruby, Python and Node, deployments typically use webservers such as Apache, Nginx and Flask, which do not handle web.config files. As such, no protection was provided and the source code was exposed to all and sundry.
The Wiz researchers reported the security flaw to Microsoft on Oct. 7 and it has now been mitigated. That said, they warn that small groups of customers could still be potentially exposed and should take certain actions to protect their applications. Those affected were emailed notifications by Microsoft based on their configuration between Dec. 7 and Dec. 15.
Microsoft also granted Wiz a $7,500 bounty for their efforts, which the company plans to donate.
Image: Microsoft
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
