Microsoft Azure cloud exposed customers’ confidential source code since 2017

A few weeks ago Microsoft contacted a small group of Azure customers to inform them that they could be affected by a vulnerability recently discovered and identified as NotLegit, which exposed the source code of Azure web applications at least since September 2017.

The flaw, identified by Wiz researchers, was described as insecure default behavior in Azure App Service, exposing the source code of client applications written in PHP, Python, Ruby or Node, which were implemented using “Local Git.” Although so far there is nothing confirmed, it is highly likely that this bug has been actively exploited

A few weeks ago Microsoft reached out to a small group of Azure customers to inform them that Azure has support for several methods for deploying source code to App Service, including “Local Git.” This method allows developers to start an on-premises Git repository within the Azure App Service container that allows them to send their code directly to the server. Only customers who selected the “Local Git” option to deploy their websites from a Git repository hosted on the same Azure server were exposed to this flaw.

In its alert, Microsoft mentions that the problem arises when the vulnerable function is combined with an application configured to offer static content, making it possible for others to download files that would not be publicly available under conventional conditions.

On exploitation in the wild, Wiz researchers believe that this is highly possible, since during their tests they deployed a vulnerable Azure App Service application and linked it to an unused web domain; just a couple of days later they had already detected some attempts to access the contents of the source code folder in the exposed resources.

Microsoft fixed the flaw by updating all PHP images to prevent the .git folder service from working as static content, mitigating improper access to source code. The tech company also awarded Wiz a $7,500 USD reward for filing this bug.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.