Recently, the Wiz research team detected an insecure default behavior in Azure Application Services-the "NotLegit" vulnerability. This means that the source code of "local Git" deployment applications written in PHP, Python, Ruby, or Node languages may be exposed. It is reported that the "NotLegit" vulnerability has existed since September 2017 and may have been exploited by attackers.
It is understood that Wiz reported this security vulnerability to Microsoft as early as October 7, 2021, and it has now been mitigated. However, there may still be potential exposure risks for small business customers. Here is also a reminder that they should take certain actions to protect their applications. For details, please refer to the email notification issued by Microsoft on December 7-15, 2021. .
"NotLegit" vulnerability: Local Git repository is publicly accessible
Wiz reminded that when deploying Git repositories to web servers and storage buckets, make sure that the .git folder is not uploaded. This is because the .git folder contains source code, developer emails and other sensitive data.
When deploying to Azure Application Service via "local Git", the Git repository is created in a publicly accessible directory (/home/site/wwwroot) that anyone can access (Wiz says this is well known by Microsoft "Quirks"). In order to protect users’ personal files, Microsoft added the "web.config" file to the public directory of the .git folder that restricts public access, but only the Microsoft IIS web server can process the "web.config" file (if you use the C# or ASP.NET applications, this mitigation is also effective).
The problem is here, because programming languages such as PHP, Ruby, Python or Node are deployed with different web servers (Apache, Nginx, Flask, etc.), and these servers do not process the "web.config" file, so the above mitigation The measures are ineffective, and because of this, applications using these programming languages are very vulnerable to "NotLegit" vulnerability attacks.
Basically, the "NotLegit" vulnerability-all a malicious attacker has to do is to obtain the "/.git" directory from the target application and retrieve its source code.
Interestingly, the Microsoft web configuration file was "survived" in this vulnerability incident due to an input error (the configuration flag was not properly closed), which made IIS unable to parse the file.
At the same time, Microsoft also found that users who use other Git deployment tools may also be exposed: if any Git is deployed before a file is created or modified in the Azure Application Service container (using FTP, Web deployment or SSH), the service will enter Local deployment" state, this state will force any Git deployment to be launched in a publicly accessible directory in the future.
"NotLegit" Vulnerability: Affected Area
Since September 2017, all PHP, Node, Ruby and Python applications deployed using "Local Git" in Azure Application Services may be affected by the "NotLegit" vulnerability. The only applications not affected by this security vulnerability are IIS-based applications.
As we all know, Git folders are a common security problem, but many users simply don't realize this.
Malicious attackers will constantly scan the Internet to find exposed Git folders and collect secrets and intellectual property from them. In addition to the source code that may contain secrets such as passwords and access tokens, the leaked source code is often used for further sophisticated attacks, such as collecting information from the R&D departments of technology giants, understanding internal infrastructure, and finding software vulnerabilities.
Through user error, accidentally exposing the Git folder is a security issue that can even affect large-scale international events. The outstanding thing about the "NotLegit vulnerability" is that cloud users are innocent: they did not mistakenly expose their Git folder-Azure service, but because the security problem occurred in Azure service, cloud users were exposed on a large scale. But this is something they do not know and cannot control.
Regarding this incident, many developers and users on Twitter encouraged all affected users to report the "NotLegit vulnerability" to Microsoft. After understanding the severity of this problem, Microsoft also took timely measures to investigate and mitigate the problem.
In the past December 7-15, Microsoft has sent different notifications to all affected users. At the same time, Microsoft also provided a bonus of $7,500 for the Wiz team who discovered the problem.
About Azure App Service
Azure Application Service (also known as Azure Web Application) is a cloud-based platform for hosting websites and web applications. The service is easy to use and therefore very popular:
1. Choose a supported programming language and operating system.
2. Use FTP, SSH or extract source code from Git service (such as GitHub or dedicated Git repository), and deploy application source code or components on Azure hosting server.
3. After deployment, anyone on the internet can access the application under the *.azurewebsites.net domain.
Regarding "Local Git":
Azure can deploy source code and components to Azure application services in a variety of ways, one of which is "local Git". Through "Local Git", users can start a local Git repository in the Azure Application Service container, so that the code can be pushed directly to the server.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。