Linux Bugs

Microsoft admits Azure App Service source code leak bug • The Register

Microsoft has revealed a vulnerability in its Azure App Service for Linux that allowed file downloads that users almost certainly did not intend to release to the public.

Microsoft invoices Azure App Service is what you need if you want to “quickly and easily build business-ready web and mobile applications for any platform or device, and deploy them on a scalable and reliable cloud infrastructure.” .

Note that the description does not mention security.

The omission was oddly prescient, as the Wiz cloud security team probed the service and found what it describe as “insecure default behavior in Azure App Service which exposed the source code of client applications written in PHP, Python, Ruby, or Node, which were deployed using ‘Local Git’.” “

Wiz has named the flaw “NotLegit” and claims that it has been around since September 2017 and “has likely been exploited in the wild.”

The heart of the flaw is that when Azure App Service users uploaded their git repositories to the service, the repositories landed in the publicly accessible directory. /home/site/wwwroot phone book. Among those downloads was the .git folder, which contains source code and other confidential information. It was all hanging around the web for anyone to see.

People were watching. Wiz’s message states that he created a vulnerable Azure App Service application and within four days he detected multiple attempts to access his .git folder.

Microsoft has ‘confessed to the fault and said it was impacting a “limited subset of customers” and would help put things back in place.

Wiz detected bad Azure bugs: he also found the ChaosDB flaw that allowed unauthorized read and write access to Microsoft’s Azure Cosmos DB, and the “OMIGOD” family of flaws that allowed unauthorized code execution on Azure servers.

Microsoft paid Wiz a $ 7,500 bounty for finding the loophole, which was responsibly disclosed in September, and saw Microsoft notify customers of the issue before disclosing it in a blog post dated December 22. ®


Source link