Microsoft Azure App Service has been detected to have a flaw that made the Local Git library publicly accessible to all. The flaw, which is called NotLegit, was uncovered by Wiz.io, and it compromises the source code of applications built on Java, Node, PHP, Python, and Ruby.
This exposure has gone undetected since its deployment, which is four years. Security researchers opined that this flaw had been exploited by threat actors quite actively. The researchers were of this opinion after they laid a few traps for the threat actors.
Microsoft was forthcoming enough to acknowledge and alert its affected ‘limited subset’ of customers. The customers received mail communique from the IT giant between December 7 and December 15, and the IT giant asked the affected parties to implement certain steps to ensure application protection.
“We have notified the limited subset of customers that we believe are at risk due to this, and we will continue to work with our customers on securing their applications,” the Microsoft Security Response Center said.
Microsoft’s Azure App Service is a cloud offering that allows customers to host web apps and their websites. The customers are given multiple options to build and deploy source code along with artifacts on Azure App Service. One of the features is Local Git, and once the users utilize this, they would be able to push their code to the target server.
To ensure the safety of the proprietary data, security experts opine that the .git folder should not be uploaded as it is loaded with source code and other sensitive information such as developer’s contact details. However, Microsoft bungled up here as its git repository has been positioned in the publicly accessible library (/home/site/wwwroot).
“This was a known quirk to Microsoft and to protect your files it added a ‘web.config’ file to the .git folder within the public directory that restricted public access,” the researchers said.
“Only Microsoft’s IIS webserver handles web[.]config files … if you use C# or ASP.NET, the application is deployed with IIS and this mitigation is perfectly fine,” the same group said.
However, the vulnerability can certainly be exploited if the developer deploys an application, which was built on PHP, Ruby, Python, or Node languages, using Apache, Nginx, Flask, and other such tools that do not support web[.]config files. It was also discovered, by the security experts, that Microsoft’s web[.]config file wasn’t coded right as there was a typo that inadvertently averted a bigger crisis by blocking access to the complete directory.
“It’s disturbing, but perhaps not too surprising, that we are seeing configuration errors on the part of the cloud service provider,” Sounil Yu, CISO at JupiterOne, said. “We all make mistakes, and Microsoft, Google, and Amazon are not infallible,” he says, citing the recent example of the AWS “Support Service Role” getting read permissions to everyone’s S3 buckets.
“These configuration errors by the cloud provider expose customer data even if the customer is doing everything right. Selecting the right cloud asset attack surface management tools is the key to quickly and easily spot these issues,” Yu says.
After Wiz informed Microsoft, IT fixed the flaw, and Wiz also confirmed the same. However, the flaw’s existence has raised concerns among security experts and enthusiasts. “This is significant for security practitioners,” says Randy Pargman, a former FBI Cyber Task Force agent who is now vice president of threat hunting and counterintelligence for Binary Defense.
“No secrets or API keys should be stored in the code, but instead should be referenced from environment variables or secure key stores,” he says. While many website developers embed API keys and secrets in the source code because it’s faster and easier, if an attacker gets those keys, “they can do anything that the API allows,” Pargman said.
CTO of Vectra AI, Oliver Tavakoli, felt the impact of this flaw was a concern as research has shown that it was being exploited by threat actors and that this vulnerability was not a secret among the hackers.
CTO of SafeGuard Cyber, Otavio Freire, echoed similar sentiments as Log4j vulnerabilities were exploited by Conti in its attack strategy after the flaw came to light.
“While Microsoft notified affected users of the Azure service earlier this month, there will still likely be some lag due to the holiday season. This, compounded with the fact that remediation for this exposure issue requires manual action from the user beyond a simple update, means that there are likely still a fair number of exposed [.]git files out in the wild,” Freire said.
More Technology News:
- Microsoft Announces Grafana Managed Service For Azure
- Announcements Which Stole The Show At Microsoft Ignite Fall 2021
- Microsoft to Launch Finance Sector Oriented Cloud
- Microsoft Averts 2.4Tbps DDoS Attack, Thanks to Azure’s Robust DDoS Protection!
- Microsoft Clinches Prestigious Title in Magic Quadrant Survey