A security issue discovered in Azure App Service, a Microsoft-managed platform for creating and hosting web apps, has exposed client PHP, Node, Python, Ruby, or Java source code for at least four years.
The issue was found and reported by researchers at cloud security provider Wiz.io. It only affected Azure App Service Linux clients; IIS-based applications deployed by Azure App Service Windows customers were not affected.
“The vulnerability, which we dubbed as ‘NotLegit,’ has existed since September 2017 and has probably been exploited in the wild,” Wiz.io added.
“Small groups of customers are still potentially exposed and should take certain user actions to protect their applications, as detailed in several emails alerts Microsoft issued between the 7th – 15th of December, 2021.”
By launching their vulnerable app, the researchers tested their idea that the unsafe default behavior in Azure App Service Linux was likely abused in the wild. Threat actors attempted to access the contents of the exposed source code folder for the first time in just four days.
While this might indicate that attackers are already aware of the NotLegit weakness and are deliberately looking for exposed Azure App Service apps’ source code, these scans could equally be explained as normal scans for exposed .git folders. All PHP, Node, Python, Ruby, and Java Azure App Service applications that deliver static content are affected if:
- launched using Local Git on a new default application in Azure App Service beginning with 2013.
- any Git source has been deployed in Azure App Service since 2013, when a file was generated or updated in the app container.
“MSRC was informed by Wiz.io [..] of an issue where customers can unintentionally configure the .git folder to be created in the content root, which would put them at risk for information disclosure,” Microsoft said today.
“This, when combined with an application configured to serve static content, makes it possible for others to download files not intended to be public.”
After allowing in-place deployment or uploading the .git folder to the content directory, the Azure App Service team and MSRC implemented a remedy to cover most impacted customers and advised all customers remaining exposed. Microsoft patched the problem by modifying PHP images to prevent the .git folder from serving as static content.
A new section on appropriately securing apps’ source code and in-place deployments has been added to the Azure App Service docs. Microsoft’s blog post and Wiz Research Team’s study provide further technical details on the NotLegit security hole, as well as a disclosure chronology.