Security experts disclosed a critical vulnerability in Microsoft’s Azure App Service that could expose the source code of users’ applications written in Java, Node, PHP, Python, and Ruby programming languages. The vulnerability is now fixed after Wiz researchers reported the issue to Microsoft. A report from Wiz states that, the vulnerability dubbed NotLegit has been active since September 2017 and has probably been exploited in the wild.
“The only applications that were not impacted by this security flaw are IIS-based applications. Microsoft emailed different notifications to all impacted users based on their configuration between December 7th-15th, 2021,” the report said.
Also Read: Microsoft Fixes 6 Zero-day Flaws in December 2021 Patch Tuesday Update
Microsoft stated that the vulnerability triggers when users unintentionally configure the .git folder to be created in the content root, putting them at risk for information disclosure. The technology giant said that the vulnerability could have affected a few users. “Customers who deployed code to App Service Linux via Local Git after files were already created in the application were the only impacted customers,” said Microsoft.
Mitigation
Microsoft took the following steps after the vulnerability was disclosed:
- Updated all PHP images to disallow serving the .git folder as static content as a defense-in-depth measure.
- Notified customers impacted due to the activation of in-place deployment with specific guidance on how to mitigate the issue. We also notified customers who had the .git folder uploaded to the content directory.
- Updated our Security Recommendations documentwith an additional section on securing source code. We also updated the documentation for in-place deployments.
“All a malicious actor had to do was to fetch the ‘/.git’ directory from the target application and retrieve its source code. Malicious actors are continuously scanning the internet for exposed Git folders to collect secrets and intellectual property. Besides the possibility that the source contains secrets like passwords and access tokens, leaked source code is often used for further sophisticated attacks,” Wiz researcher Shir Tamari said.
Microsoft Warns of Active Directory Flaws
Microsoft recently asked organizations and users to immediately patch two Active Directory domain service privilege escalation security vulnerabilities. Tracked as CVE-2021-42287 and CVE-2021-42278, these vulnerabilities allow threat actors to takeover Windows domains. While the technology giant fixed these flaws during the November 2021 Patch Tuesday, a proof-of-concept tool exploiting the vulnerabilities was publicly disclosed. Read More Here…
