Microsoft informs customers about security bug in Azure Cloud
Microsoft has informed users about a 'NotLegit' bug in Azure Cloud that may have put some customers' data at hacking risk. The Microsoft's Security Response Centre (MSRC) was informed by Wiz.io, a cloud security vendor, of an issue where customers can unintentionally configure the '.git folder' to be created in the content root, which would put them at risk for information disclosure.
"This, when combined with an application configured to serve static content, makes it possible for others to download files not intended to be public," Microsoft said in a statement late on Thursday.
"We have notified the limited subset of customers that we believe are at risk due to this and we will continue to work with our customers on securing their applications," the company added.
App Service Linux customers who deployed applications using Local Git after files were created or modified in the content root directory are impacted.
"This happens because the system attempts to preserve the currently deployed files as part of repository contents, and activates what is referred to as in-place deployments by deployment engine (Kudu)," Microsoft informed.
Not all users of 'Local Git' were impacted by the vulnerability and the Azure App Service Windows was not affected, the company said.
Microsoft updated all PHP images to disallow serving the .git folder as static content as a defence in depth measure.
"We have notified customers who were impacted due to the activation of in-place deployment with specific guidance on how to mitigate the issue," the company informed.
The Wiz Research Team said it first notified Microsoft of the issue on October 7 and the fix was deployed in November and customers were notified by December.
Wiz was paid a bug bounty of $7,500, reports ZDNet.
"Small groups of customers are still potentially exposed and should take certain user actions to protect their applications, as detailed in several email alerts Microsoft issued between the 7th - 15th of December, 2021," said Wiz.