The Microsoft Azure App Service has a 4-year-old vulnerability that could reveal the source code of web apps written in PHP, Python, Ruby or Node, researchers have stated, that were deployed using Local Git.
The security vulnerability could expose passwords & access tokens, along with details of internal infrastructure & help in finding software vulnerabilities.
Exploited in the Wild
The bug has almost certainly been exploited in the wild as a zero-day, according to an analysis from Wiz. The firm dubbed the vulnerability “NotLegit,” & revealed it has existed since September 2017.
The Azure App Service (aka Azure Web Apps) is a cloud computing-based platform for hosting websites & web applications. Local Git meanwhile allows developers to initiate a local Git repository within the Azure App Service container in order to deploy code straight to the server.
After deployment, the application is accessible for anyone on the internet under the *.azurewebsites.net domain.
The issue arises because when using Local Git, the Git folder is also uploaded & publicly accessible on unpatched systems; it is placed in the “/home/site/wwwroot” directory, which anyone could access.
This has serious implications from a security viewpoint, states the firm.
“Besides the possibility that the source contains secrets like passwords & access tokens, leaked source code is often used for further sophisticated attacks like gathering intel on the R&D division, learning the internal infrastructure, & finding software vulnerabilities,” researchers noted in a posting this week.
“Finding vulnerabilities in software is much easier when the source code is available.”
They added, “basically, all a malicious actor had to do was to fetch the ‘/.git’ directory from the target application & retrieve its source code.”
Microsoft did originally deploy a mitigation, in the form of adding a “web.config” file to the Git folder within the public directory that restricted public access; it turns out this is an incomplete fix though.
“Only Microsoft’s IIS webserver manages web.config files,” according to Wiz. “But [if] you use PHP, Ruby, Python or Node…these programming languages are deployed with different webservers (Apache, Nginx, Flask, etc.), which do not manage web.config files, leaving them unimpacted by the mitigation & therefore completely vulnerable.”
Wiz reported the lingering bug to Microsoft in Oct. and was awarded a $7.5k bounty for the discovery; & the computing giant rolled-out fixes between the Dec. 7-15 via email to affected users.
Exploited in the Wild
Git folders are often accidently exposed through misconfiguration (not just vulnerabilities, as in this case), & as such, cyber-criminals are on the lookout for them, researchers warned.
“An exposed Git folder is a common security issue that users make without even realising it,” they explained.
“Malicious actors are continuously scanning the internet for exposed Git folders from which they can collect secrets & intellectual property.”
Azure App Service
Wiz used a vulnerable Azure App Service application & linked it to an unused domain to see if there would be any exploitation.
“We waited patiently to see if anyone tried to reach the Git files,” they outlined.
“Within 4 days of deploying, we were not surprised to see multiple requests for the Git folder from unknown actors….this exploitation method is extremely easy, common and is actively being exploited.”
The following users should estimate the potential risk, according to Wiz, & make sure to update their systems:
- Users who deployed code via FTP or Web Deploy or Bash/SSH which resulted in files getting initialised in the web app before any git deployment;
- Users who enabled LocalGit on the web app;
- Users who subsequent Git clone/push sequence to publish updates.
“Because the security issue was in an Azure service, cloud users were exposed on a big scale, & without them knowing or having any control over it,” researchers concluded.