Description:

By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.


Rationale:

Azure FTP deployment endpoints are public. An attacker listening to traffic on a wifi network used by a remote employee or a corporate network could see login traffic in the clear- text which would then grant them full control of the code base of the app or service. This finding is more severe if User Credentials for deployment are set at the subscription level rather than using the default Application Credentials which are unique per App.


Impact:

Any deployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTP endpoints may be affected.


Default Value:

By default, FTP deployments are enabled. 


Test Plan:

From Azure Console 2.0 For Web Apps

  1. Go to the Azure Portal

  2. Select App Services

  3. Click on an App

  4. Select Settings > Configuration

  5. Select General Settings

  6. Under Platform Settings, FTP state should not be All allowed

From Azure Console 2.0 For Function Apps

  1. Go to the Azure Portal

  2. Select App Services

  3. Click on an App Function

  4. Select Platform Features

  5. Select Configuration 

  6. Select General Settings

  7. Under Platform Settings, FTP state should not be All allowed


Using Azure CLI 2.0

List webapps to obtain the ids.

az webapp list

List the publish profiles to obtain the username, password, and ftp server url.

az webapp deployment list-publishing-profiles --ids <ids>
{
"publishUrl": "ftp://waws-prod-dm1- 129.ftp.azurewebsites.windows.net/site/wwwroot",
"userName": "engineer-webapp-test\\$engineer-webapp-test", "userPWD": "dHwjxxxxxxxxxxxxxxxxxxxxxxxxxxisdk6xMgeswoqg",
}

The correct username to user for FTP would be

engineer-webapp-test in the output above.


Remediation:

From Azure Console

  1. Go to the Azure Portal

  2. Select App Services

  3. Click on an App

  4. Select Settings > Configuration

  5. Under Platform Settings, FTP state should be Disabled or FTPS Only


Backout Plan:

  1. Go to App Services

  2. Click on each App

  3. Under Setting section, Click on Configuration

  4. Ensure that Under Platform Settings, FTP state should be All allowed(how we can revoke the changes)



References:

  1. [Azure Web Service Deploy via FTP](https://docs.microsoft.com/en-us/azure/app- service/deploy-ftp)

  2. [Azure Web Service Deployment](https://docs.microsoft.com/en-us/azure/app- service/overview-security)

  3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-data-protection#dp-4-encrypt-sensitive-information-in-transit