“NotLegit” Azure Bug Confirmed by Microsoft

The “NotLegit” bug discovered by cloud security firm Wiz.io has been addressed by Microsoft’s Security Response Center. All PHP, Node, Ruby, and Python programs that were created using “Local Git” on a clean default application in Azure App Service since September 2017 are said to be vulnerable. Any Git source was used to deploy PHP, Node, Ruby, or Python apps in Azure App Service starting in September 2017 onward. The official statement was changed, reading:

“We are aware of an issue that affects App Service Linux users who deployed applications using Local Git after files were created or updated in the content root directory. “This happens as a result of the system attempting to maintain the currently active files as part of repository contents, and enlisting what is known as in-place deployments via deployment engine (Kudu).

“The images used for PHP runtime were configured to serve all static content in the content root folder. After this issue was brought to our attention, we updated all PHP images to disallow serving the .git folder as static content as a defense in depth measure,” Microsoft explained.

“For these languages since the application code controls whether it serves static content, we recommend customers review the code to make sure that only the relevant code is served out.”

The researchers determined that not all Local Git users were affected, and that the Azure App Service Windows was unharmed. Customers who had their .git folder placed in the content directory were notified by Microsoft, along with those who had it uploaded to the repository. They also added a new section on protecting source code to their Security Recommendations document and updated documentation for in-place upgrades.

On Tuesday, the Wiz Research Team announced that it had informed Microsoft about the problem on October 7 and worked with them throughout the month to resolve it. The fix was put in place in November, and consumers were alerted to it by December.

Wiz was given a bug bounty of 7,500 as a result of this issue. “NotLegit” is “extremely simple, typical, and is frequently utilized,” according to Wiz. Microsoft did not announce whether the hole has been utilized, but “NotLegit” is “extremely basic.”

“To assess the chance of exposure with the issue we found, we deployed a vulnerable Azure App Service application, linked it to an unused domain, and waited patiently to see if anyone tried to reach the .git files. Within 4 days of deploying, we were not surprised to see multiple requests for the .git folder from unknown actors,” the researchers explained.

“Small groups of customers are still potentially exposed and should take certain user actions to protect their applications, as detailed in several email alerts Microsoft issued between the 7th – 15th of December, 2021.”

According to a research team, a flaw in the Git protocol has been discovered that can be utilized by malevolent persons to access sensitive documents. This security hole was caused by user error, and it has impacted the United Nations and other governments. The impact of the vulnerability will be highly diverse, according on Vectra CTO Oliver Tavakoli.

According to Tavakoli, accessing the source code for an application (as well as any additional files that may have been left in the same directory) might provide information that could be used for future assaults.”The fact that the researchers set up what amounts to a honeypot and saw the vulnerability exploited in the wild is of particular concern as it means that the vulnerability was not a well-kept secret,” Tavakoli explained.

According to a field security director at JupiterOne, leaked source code puts an organization at risk of being hacked by threat actors who can quickly steal proprietary information or develop a bug tailored to the source code’s particular flaws.

“The NotLegit vulnerability is especially eye-opening since it highlights the growing security risk caused by privileged accounts and services, even in the absence of developer error,” Henry said.