Full Report
Read about the NotLegit vulnerability discovered by the Wiz Research Team, where the Azure App Service exposed hundreds of source code repositories.
Analysis Summary
# Vulnerability: Azure App Service 'Local Git' Insecure Default Exposing Source Code ('NotLegit')
## CVE Details
- CVE ID: Not explicitly assigned in the provided text. (Implied vulnerability discovered and patched by vendor.)
- CVSS Score: Not specified. Severity is implied/High due to code exposure.
- CWE: Insufficient Isolation/Exposure of Sensitive Data (Related to CWE-200: Exposure of Sensitive Information to an Unauthorized Actor)
## Affected Systems
- Products: Azure App Service (AKA Azure Web Apps)
- Versions: Applications deployed since September 2017 that meet specific criteria.
- Configurations:
- Applications written in **PHP, Python, Ruby, or Node**.
- Deployed using the **“Local Git”** deployment method.
- OR, any Git deployment source used *after* a file was created or modified in the application container (triggering 'inplace deployment' state).
- **Only** IIS-based applications (C#, ASP.NET) were inherently protected by the vendor's attempted mitigation.
## Vulnerability Description
The vulnerability stemmed from an insecure default behavior in Azure App Service when using the "Local Git" deployment method. This method created a local Git repository (`.git` folder) within the publicly accessible web root directory (`/home/site/wwwroot`). This directory exposure allows unauthorized actors to access sensitive application source code, developer emails, and other intellectual property by fetching the hidden `.git` folder.
A mitigation attempt by Microsoft involved placing a `web.config` file in the `.git` directory to restrict access. However, this mitigation only worked for applications served by IIS (e.g., C#). Applications using PHP, Ruby, Python, or Node (served by Apache, Nginx, etc.) did not process `web.config`, leaving the repository publicly accessible. Furthermore, an "inplace deployment" state, triggered by modifying any file in the container *before* a Git deployment, forced subsequent Git pushes into the public directory, exposing non-Local Git deployments as well.
## Exploitation
- Status: **Probably exploited in the wild** (Observed since Sept 2017; Wiz reported in Oct 2021).
- Complexity: **Low** (Requires only fetching the `/.git` directory via HTTP).
- Attack Vector: **Network** (Remote, public internet access).
## Impact
- Confidentiality: **High** (Source code leakage, secrets exposure).
- Integrity: **Medium** (Indirect risk: leaked code can expose further avenues for compromise).
- Availability: **Low** (Direct impact is not stated, primarily a confidentiality issue).
## Remediation
### Patches
- Microsoft deployed fixes starting *November 17, 2021* (Fix for PHP applications deployed).
- The underlying issue has been mitigated by the Azure App Service/MSRC team.
### Workarounds
- Users who utilized Local Git or were caught in the 'inplace deployment' state needed to **take user actions** after receiving email alerts from Microsoft (December 7th - 15th, 2021). Specific required actions are not detailed in this summary but were communicated directly to affected customers via email.
## Detection
- Indicators of compromise: Unauthorized retrieval of directories named `.git` from the application endpoint.
- Detection methods and tools: General network monitoring tools capable of logging HTTP requests to identify access patterns against hidden or configuration directories (e.g., `.git/`, `/.git/`). Wiz identified the issue through platform discovery.
## References
- Vendor Advisory: Microsoft (MSRC) advisories issued between December 7th - 15th, 2021 (Internal communication).
- Relevant links - defanged:
- Detailed information on inplace deployment: `hXXps://github.com/projectkudu/kudu/wiki/Deploying-inplace-and-without-repository`