The security vulnerability could reveal passwords and access tokens as well as blueprints for the internal infrastructure and find software vulnerabilities. Microsoft Azure Application Service has a four-year vulnerability that could expose the source code of web applications written in PHP, Python, Ruby, or Node, said the researchers, which were implemented using Local Git. According to an analysis by Wiz, the bug was almost certainly exploited in the wild as a zero-day. The company named the vulnerability "NotLegit" and stated that it has existed since September 2017.
Azure App Service is a cloud computing-based forum for hosting websites and web applications. In the meantime, Local Git enables developers to start a local Git storage in the Azure App Service container to deploy code directly on the server. Once deployed, the application will be available to anyone on the Internet under the * .azurewebsites.net domain.
The problem arises because when using Local Git, the Git folder is loaded and publicly accessible even on unpatched systems; It is located in the “/home/site / wwwroot” directory that can be accessed by anyone. According to the company, this has serious consequences for safety reasons. “In addition to the case of the source including secrets such as passwords and access tokens, leaked source code is often used for more complex attacks, such as collecting information about the RandD department, learning about the internal infrastructure and finding software vulnerabilities . “, Stated the researchers in a publication this week. "Finding susceptibilities in software is much more comfortable when the source code is available." They counted, "Basically, all an opposing actor had to do was find the '/.git' directory of the target application and get the source code."
Botched Mitigation
Microsoft initially deployed mitigation in the form of adding a "web.config" file to the Git folder within the public directory, which restricted public access; however, it turns out that this is an incomplete fix. According to Wiz, "only Microsoft's IIS web server handles web. config files." "However, if you use PHP, Ruby, Python, or Node...these programming languages are deployed with different web servers that do not handle web.config files, leaving them unaffected by the mitigation and thus completely vulnerable."
Wiz reported the lingering bug to Microsoft in October and was awarded a $7,500 bounty for the discovery; the computing giant distributed fixes to affected users via email between December 7 and 15.
Likely Exploited in the Wild
Git folders are frequently revealed by mistake due to misconfiguration, and as a result, cybercriminals are on the lookout for them, researchers warned.
"An exposed Git folder is a typical security flaw that users commit without even recognizing it," they wrote. "Malicious actors are always searching the internet for exposed Git folders from which to steal secrets and intellectual property."
Wiz set up a vulnerable Azure App Service application and attached it to an unused domain to see if it could be exploited.
"We patiently paused to see if anyone tried to access the Git files," they presented. "Within four days of deploying, we were unsurprised to see various requests for the Git folder from unknown actors....this exploitation approach is extremely simple, common, and actively exploited."
According to Wiz, the below users should assess the potential risk and ensure that their systems are up to date:
- Users who deployed code via FTP, Web Deploy, or Bash/SSH, resulting in files existing initialized in the net app prior to any git deployment.
- Users who depended on LocalGit in the web app.
- Users who use the Git clone sequence after that to publish updates.
"Because the security flaw was in an Azure service, cloud users were exposed on a large scale, and without their knowledge or control," researchers wrote.
Airzero Sec's Cyber Security Consulting specialists have worked on various projects for a number of famous corporations for years. Use this experience as needed, whether or not it is that will help you get there or to carry out technical checks. If you have any doubt about the above topic. Airzero sec will be your digital partner.
Email:[email protected]
Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/