Microsoft Notifies Customers of Azure “NotLegit” Bug


Microsoft Security Response Center posted a blog post explaining his response to the “NotLegit” bug in Azure which was discovered by cloud security company Wiz.

Wiz said that all PHP, Node, Ruby, and Python apps that have been deployed using “Local Git” to a clean default app in Azure App Service since September 2017 are affected. They added that all PHP, Node, Ruby, and Python apps that have been deployed to Azure App Service from September 2017 using any Git source – after creating or editing a file in the app container – were also affected.

Microsoft clarified in its response that the issue affects Linux App Service customers who have deployed applications using Local Git after creating or modifying files in the content root directory. They explained that this happens “because the system tries to preserve files currently deployed as part of the repository content and activates what are known as in-place deployments by the Deployment Engine (Kudu).”

“The images used for PHP runtime have been configured to serve all static content in the content root folder. After this issue was brought to our attention, we updated all PHP images to prohibit serving the .git file as static content as a defense-in-depth measure, ”Microsoft explained.

They noted that not all Local Git users were affected by the vulnerability and that Azure App Service Windows was not affected.

Microsoft has notified customers affected by the issue, including those who were affected due to the in-place deployment activation and those who downloaded the .git folder to the content directory. The company has also updated its security recommendations document with an additional section on securing source code. He also updated the documentation for in-place deployments.

The Wiz research team said on Tuesday that it first notified Microsoft of the issue on October 7 and worked with the company throughout the month to resolve it. The fix was rolled out in November and customers were notified in December. Wiz received a bug bounty of $ 7,500.

Microsoft did not say if the vulnerability was exploited, but Wiz said “NotLegit” is “extremely easy, common and actively exploited.”

“To assess the risk of exposure to the issue we found, we deployed a vulnerable Azure App Service application, linked it to an unused domain, and waited patiently to see if anyone attempted to access the files. git. In the 4 days following the deployment, we were not surprised to see several requests for the .git file from unknown actors, ”explained the researchers.

“Small groups of customers are still potentially at risk and should take certain user actions to protect their applications, as detailed in several email alerts Microsoft issued between December 7 and December 15, 2021.”

The Wiz research team noted that accidentally exposing the user’s Git folder by mistake is a security issue that has impacted organizations like the The United Nations and a number of Indian government websites.

Vectra CTO Oliver Tavakoli said the impact of the vulnerability will vary widely. Accessing the source code underlying an application (and possibly other files that might have been left in the same directory) can provide information that could be exploited for other attacks, Tavakoli said.

“Of particular concern is that the researchers set up what amounts to a pot of honey and saw the vulnerability exploited in nature is of particular concern, as it means that the vulnerability was not a well-kept secret,” Tavakoli explained. .

JupiterOne Field Security Director Jasmine Henry told ZDNet that the source code leak puts an organization in an incredibly vulnerable position to threats, which can instantly steal intellectual property or launch an exploit tailored to unique weaknesses. source code.

“The NotLegit vulnerability is particularly revealing, as it highlights the growing security risk caused by privileged accounts and services, even in the absence of developer error,” said Henry.


Comments are closed.