Microsoft has notified a small group of customers that they were affected by an old Azure bug that has been in the code since 2017 but was only recently discovered. Due to a bug, the source code was leaked from the repositories and was available to outsiders.The vulnerability was discovered back in September by the information security company Wiz, which deals with cloud security. The hotfix was released in November, and Microsoft has spent the last weeks figuring out exactly how many customers were affected by the bug.
The vulnerability is dubbed NotLegit and is related to Azure App Service, an Azure cloud feature that allows customers to deploy sites and web applications from a source repository.
Microsoft reports that any PHP, Node, Ruby, and Python applications deployed using the method mentioned above will suffer from this bug. However, it is emphasized that the bug affected only applications deployed on Azure servers running Linux, but not applications hosted on systems running Windows Server.
Interestingly, according to Wiz, the vulnerability even affected applications deployed back in 2013, although the problem itself appeared in the code only in 2017.
The researchers warn that the most dangerous were cases where the leaked source code contained .git configuration files, which themselves contain passwords and tokens for other client systems, including databases and APIs.
There are several botnets that constantly scan the network for accidentally forgotten .git files, because they can help attackers gain access to corporate infrastructure. While the criminals might not have known about the NotLegit vulnerability, Wiz experts believe the vulnerability was most likely exploited by hackers indirectly through such scans.
Let me remind you that we have already talked about the problems with Azure. For example, that Microsoft urged administrators to fix vulnerabilities in Azure Linux VMs collectively known as OMIGOD, and also that, in the end, Microsoft patches OMIGOD vulnerabilities on Azure Linux VMs.
User Review( votes)