Researchers last week detected an insecure default behavior in the Azure App Service that exposed the source code of customer applications written in PHP, Python, Ruby, and Node that were deployed by using “Local Git.”
In a blog post, the Wiz Research Team said the vulnerability – dubbed NotLegit – has existed since September 2017 and more than likely has been exploited in the wild.
The Wiz researchers reported this security flaw to Microsoft on Oct. 7 of this year and by now it has been mitigated. Microsoft has since updated its security recommendations document with an additional section on securing source code. The large software vendor also updated the documentation for in-place deployments.
Leaked source code puts an organization in an incredibly vulnerable position to threat actors, who can instantly steal years of intellectual property or rapidly launch an exploit tailored to unique weaknesses in the source code,” said Jasmine Henry, field security director at JupiterOne.
“The NotLegit vulnerability is especially eye-opening since it highlights the growing security risk caused by privileged accounts and services, even in the absence of a developer error,” Henry said.
Oliver Tavakoli, chief technology at Vectra, said the impact of this vulnerability will be highly variable. Tavakoli said accessing the source code underlying an application (and possibly other files which might have been left in the same directory) may offer information that threat actors could leverage for other attacks.
“The fact that the researchers set up what amounts to a honeypot and saw the vulnerability exploited in the wild is of particular concern as it means that the vulnerability was not a well-kept secret,” Tavakoli said.
Issues with rapid migration to the cloud during the pandemic may haunt businesses and organizations over the next year, say cybersecurity experts.
The talks are being pushed by National Security Adviser Jake Sullivan in the wake of the discovery of the critical Log4j vulnerability that potentially leaves companies and devices around the world open to breaches by threat actors.
Only 30% of enterprises have achieved full implementation of DevSecOps practices at present, the Cloud Security Alliance said in its Secure DevOps and Misconfigurations 2021 report, while some organizations that are adopting DevSecOps are facing setbacks from misconfigurations caused by keeping security settings on default.
Copyright © 2021 CyberRisk Alliance, LLC All Rights Reserved This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.