Microsoft notifies customers of Azure 'NotLegit' bug
Microsoft Security Response Center has released a blog post outlining its response to the Azure “NotLegit” bug discovered by cloud security company Wiz.
Wiz reported that all PHP, Node, Ruby, and Python applications used using "Local Git" are affected by a clean default application in Azure App Service since September 2022. They added that also affect all PHP, Node, Ruby, and Python applications used in the Azure App Service from September 2022 onwards using any Git repository - after a file has been created or modified the application engine.
Microsoft clarified in their response that the issue is affecting Linux App Service customers who have submitted applications using Local Git after files have been created or modified in the root directory. -content. They explained that this is "because the system tries to preserve the files that are currently in use as part of resale content, and executes what is called usage replaced with a used engine (Kudu). "
"The images used for PHP runtime have been configured to serve all static content in the root content folder. After bringing this issue to our attention, 'we updated all PHP images to disable it serving the .git folder as static content as protection in depth measure., "Microsoft explained.
They noted that not all Local Git users were affected by the vulnerability and that this did not affect the Windows Azure App Service.
Microsoft has contacted customers affected by the problem, including those affected by in-place activity and those affected by the .git package upload to the content directory. The company also updated their Security Recommendations document with a section in addition to obtaining source code. He also updated the documentation for in-house use.
The Wiz Research Team said Tuesday that they first contacted Microsoft about the issue on October 7 and that they had worked with the company during the month to address it. The arrangement was arranged in November, and the buyers were notified before December. Wiz found a $ 7,500 bug bounty.
Microsoft did not say whether vulnerabilities had been exploited, but Wiz said "NotLegit" is "very easy, common, and exploitable."
“To assess the possibility of openness to the case we found, we submitted a vulnerable Azure App Service application, linked it to unused land, and waited patiently to see if anyone tried to access the .git files.Within 4 days of use, we were not surprised to see several requests for the .git package from unknown actors, "explained the researchers.
"Small groups of customers are still open and should take some consumer action to protect their applications, as explained in several email alerts issued by Microsoft between 7 - December 15, 2022. "
The Wiz Research Team noted that accidentally exposing a Git package through user error is a security issue that has affected organizations like the United Nations and several Indian government sites.
Vectra CTO Oliver Tavakoli said the impact of the vulnerability will be highly variable. Accessing the application source code (and possibly other files that may be left in the same directory) may provide information that may be reduced for other attacks, Tavakoli said.
“The fact that the researchers established what constitutes a lump of honey and saw the vulnerabilities used in the outdoors is of particular concern, as it means that the vulnerability of the well-kept mission, "Tavakoli explained.
JupiterOne field security director Jasmine Henry told ZDNet that a released source code puts an organization in a very vulnerable position to threaten actors, who may be able to steal intellectual property. immediately or launch a message that is designed to specific vulnerabilities in the source code.
“The vulnerability of NotLegit in particular is eye-opening, as it highlights the growing security risk posed by privileged accounts and services, even without a developer error,” said Henry.