NotLegit: 4-year old Microsoft Azure App Service 0-day vulnerability affects source code repositories

A four-year old Microsoft Azure App Service 0-day vulnerability dubbed “NotLegit” affects hundreds of source code repositories.

Security researchers from the Wiz Research Team discovered the flaw in the Azure App Service and warned the issue likely existed since September 2017 and has “probably been exploited in the wild.”

“The Wiz Research Team detected an insecure default behavior in the Azure App Service that exposed the source code of customer applications written in PHP, Python, Ruby, or Node, that were deployed using ‘Local Git’,” Shir Tamari wrote in a blog post on December 21, 2021.

The Wiz team reported the issue to Microsoft back on October 7, 2021 and the issue has since been mitigated. However, Microsoft sent out several emails with instructions to affected customers between December 7th and 15th, 2021. Those instructions included user actions needed to protect customer applications that may still be exposed.

The Azure App Service (also known as Azure Web Apps) is a Microsoft-operated cloud computing based platform used to “quickly and easily create enterprise-ready web and mobile apps for any platform or device.”

Local Git repository exposed

One of the many advantages of using the Azure App Service is that it can allow developers to easily create an App Service app by deploying code from a local Git repository, such as using Azure CLI. By setting up a Git repository within the App Service container, customers can simply push code straight to their servers.

According to the Wiz findings, however, certain customers’ local Git repository was publicly exposed:

“When the ‘Local Git’ deployment method was used to deploy to the Azure App Service, the git repository was created within the publicly accessible directory (/home/site/wwwroot) that anyone could access.”

Moreover, Wiz also setup a vulnerable Azure App Service application in an effort to assess the likelihood of exploits in the wild. Within just four days of setting up the app, they found unknown attackers had already sent multiple requests for the .git folder.

Microsoft supposedly fixed the issue by adding a “web.config” file to the .git folder within the public directory used to restrict public access. However, only Windows web (IIS) servers use web.config files. Apps that use PHP, Node, Ruby, and Python do not use Windows IIS servers so are likely affected by the vulnerability.

As part of instructions sent out to their affected customers, Microsoft included a link to GitHub on how to turn off in-place deployments, as well as secure the app’s repository folder.

Finally, the issue reminds developers and organizations just how important it is to prevent the exposure of the Git folder.

Bad actors continue to scan the internet for exposed Git folders looking to collect secrets and sensitive source code, which can then be used to find software vulnerabilities, intellectual property, internal infrastructure weaknesses, and launch future attacks.

Related Articles