Microsoft Customer Source Code Exposed via Azure App Service Bug

Researchers found an insecure default behavior in Azure App Service exposing source code of some customer applications deployed using "Local Git."

Researchers discovered a security flaw in Azure App Service that exposed the source code of customer applications written in PHP, Python, Ruby, or Node that were deployed using "Local Git."

The insecure default behavior was dubbed "NotLegit" by the Wiz research team, who found the bug. They say the vulnerability has existed since September 2017 and believe it has probably been exploited in the wild. Wiz reported the findings to Microsoft on Oct. 7, 2021, and it has since been mitigated, though small groups of customers are still potentially exposed, Wiz notes.

Azure App Service, otherwise known as Azure Web Apps, is a cloud-based platform for hosting Web applications and websites. There are multiple ways to deploy source code and artifacts to the Azure App Service. One of these is Local Git, through which users initiate a local Git repository in the Azure App Service container, which lets them push their code to the server.

When Local Git was used to deploy to Azure App Service, the Git repository was created within a publicly accessible directory (home/site/wwwroot) that anyone could access, researchers explain in a blog post. Microsoft was aware of this, so to protect files it added a "web.config" file to the .git folder in the public directory, and this restricted public access. However, only the Microsoft Internet Information Services (IIS) Web server handles "web.config" files, they note.

This meant for people using C# or ASP.NET, their applications were deployed with IIS, and Microsoft's mitigation worked. But PHP, Ruby, Python, and Node are deployed with different Web servers that don't handle "web.config" files. This means the mitigation didn't apply, and applications were vulnerable to attackers who could retrieve files not intended to be public.

As a result, customers could unintentionally configure the .git folder to be created in content root. This put them at risk for information disclosure. This issue, combined with an application configured to serve static content, would enable attackers to download their files.

"This happens because the system attempts to preserve the currently deployed files as part of repository contents, and activates what is referred to as in-place deployments by deployment engine (Kudu)," the Microsoft Security Response Center wrote in a blog post.

Microsoft released its own update today to state the issue is limited to Azure App Service Linux customers who deployed applications using Local Git after files were created or changed in the content root directory. Applications deployed with Microsoft's IIS by Azure App Service Windows customers are not affected.

"Customers who deployed code to App Service Linux via Local Git after files were already created in the application were the only impacted customers," Microsoft wrote.

After it learned of the issue, Microsoft says it updated all PHP images to disallow serving the .git folder as static content. Customers affected by the issue have been notified, it noted.