Description:
By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.
Rationale:
Azure FTP deployment endpoints are public. An attacker listening to traffic on a wifi network used by a remote employee or a corporate network could see login traffic in the clear- text which would then grant them full control of the code base of the app or service. This finding is more severe if User Credentials for deployment are set at the subscription level rather than using the default Application Credentials which are unique per App.
Impact:
Any deployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTP endpoints may be affected.
Default Value:
By default, FTP deployments are enabled.
Test Plan:
From Azure Console 2.0 For Web Apps
Go to the Azure Portal
Select App Services
Click on an App
Select Settings > Configuration
Select General Settings
Under Platform Settings, FTP state should not be All allowed
From Azure Console 2.0 For Function Apps
Go to the Azure Portal
Select App Services
Click on an App Function
Select Platform Features
Select Configuration
Select General Settings
Under Platform Settings, FTP state should not be All allowed
Using Azure CLI 2.0
List webapps to obtain the ids.
az webapp list
List the publish profiles to obtain the username, password, and ftp server url.
az webapp deployment list-publishing-profiles --ids <ids>
{
"publishUrl": "ftp://waws-prod-dm1- 129.ftp.azurewebsites.windows.net/site/wwwroot",
"userName": "engineer-webapp-test\\$engineer-webapp-test", "userPWD": "dHwjxxxxxxxxxxxxxxxxxxxxxxxxxxisdk6xMgeswoqg",
}
The correct username to user for FTP would be
engineer-webapp-test in the output above.
Remediation:
From Azure Console
Go to the Azure Portal
Select App Services
Click on an App
Select Settings > Configuration
Under Platform Settings, FTP state should be Disabled or FTPS Only
Backout Plan:
Go to App Services
Click on each App
Under Setting section, Click on Configuration
Ensure that Under Platform Settings, FTP state should be All allowed(how we can revoke the changes)
References:
[Azure Web Service Deploy via FTP](https://docs.microsoft.com/en-us/azure/app- service/deploy-ftp)
[Azure Web Service Deployment](https://docs.microsoft.com/en-us/azure/app- service/overview-security)