Another day, another bug. Microsoft is now informing its clients of the NotLegit Azure bug.
In its response to the NotLegit bug that cloud security company Wiz discovered recently, Microsoft has outlined the cause of the problem.
Wiz had claimed that the bug affects all PHP, Node, Ruby, and Python applications deployed by using “Local Git” on default application in Azure App Service since September 2017. The firm also said the bug affects all apps in the categories above deployed using any Git source after September 2017.
In its blog post, Microsoft explained that the bug affects App Service Linux clients that used Local Git to deploy their applications after the root directory has a new file created or an existing file is modified. This happened because “the system attempts to preserve the currently deployed files as part of repository contents, and activates what is referred to as in-place deployments by deployment engine (Kudu).”
Explaining what it is has done to address the issue, Microsoft said, “The images used for PHP runtime were configured to serve all static content in the content root folder. After this issue was brought to our attention, we updated all PHP images to disallow serving the .git folder as static content as a defense in depth measure.”
However, according to Microsoft, the bug does not affect everybody using Local Git. The software giant has taken the steps of notifying affected clients and adding a new section to its Security Recommendations document that covers how to secure code.
Upon being informed of the bug on October 7, the Wiz Research Team collaborated with Microsoft to find a solution. The fix came in November, and Microsoft has been informing its clients since. Wiz got a payment of $7,500 for discovering the bug.
On whether hackers could exploit the bug, Microsoft has been silent. However, Wiz has said the NotLegit bug is very easy, familiar, and is being actively used.
The firm carried out tests to reach its conclusion. “To assess the chance of exposure with the issue we found, we deployed a vulnerable Azure App Service application, linked it to an unused domain, and waited patiently to see if anyone tried to reach the .git files. Within 4 days of deploying, we were not surprised to see multiple requests for the .git folder from unknown actors. Small groups of customers are still potentially exposed and should take certain user actions to protect their applications, as detailed in several email alerts Microsoft issued between the 7th – 15th of December, 2021.”
The main problem with the NotLegit bug is that it can expose the source code for an application. This type of error has caused issues for notable organizations like the United Nations and some sites belonging to the Indian government. As such, it should be treated as a security issue.
Leaked source code could give attackers enough information to perfect their attacks, as explained by Oliver Tavakoli, CTO of Vectra. “The fact that the researchers set up what amounts to a honeypot and saw the vulnerability exploited in the wild is of particular concern, as it means that the vulnerability was not a well-kept secret.”
IP thieves can also use leaked source code to steal valuable properties belonging to an organization.
Describing the concerns about the NotLegit bug, Jasmine Henry, field security director at JupiterOne, told ZDNet, “The NotLegit vulnerability is especially eye-opening since it highlights the growing security risk caused by privileged accounts and services, even in the absence of developer error.”