Security vulnerability in SQL Backup Pro 7.4 & 7.5

4th December 2013

We recently discovered that there is a security vulnerability in SQL Backup Pro 7.4 & 7.5.

The vulnerability affects the security of account credentials used by SQL Backup Pro, not your backup files. Any backups you’ve made with SQL Backup Pro are still fully reliable.

We don't have any examples of anyone exploiting this vulnerability. Due to the nature of the vulnerability, it's very unlikely that the affected accounts have been compromised.

We're really sorry this has happened. We're continuing to work with a security consultancy to make sure we handle this incident in the safest way possible for our customers and users.


Mitigating factors

The vulnerability only affects new installations of the SQL Backup Agent service and not versions which have been upgraded.

If you installed SQL Backup Pro 7.4 or 7.5 after 20th June 2013, follow the steps below to fix the problem and make sure you're secure.

If you upgraded to SQL Backup Pro 7.4 or 7.5 from an older version of SQL Backup Pro you won't be affected by this vulnerability.


What is the vulnerability?

SQL Backup Pro 7.4 & 7.5 inadvertently store credentials for two accounts used by the SQL Backup Agent service, which you enter into the red boxes shown below during installation:

SQL Backup - Install Server Components, Step 2 of 2: Specify account details.

The credentials are only stored locally on the server in question. Our software does not transfer or otherwise store these credentials outside of the server that is running the SQL Backup Agent service.

If you used the built-in Service Accounts (LocalSystem, LocalService, or NetworkService), for both the login and authentication, no credentials will be stored.


What is the SQL Backup Agent service?

The SQL Backup Agent service is part of the SQL Backup Pro server components. You might also refer to it as the
SQL Backup engine.

You install it on each SQL Server instance and each node of a clustered instance.

It is responsible for compressing and encrypting the backup files, among other things.

It is distinct from the SQL Backup Pro UI.


How can I resolve this vulnerability?

If you did a fresh install of SQL Backup Pro v7.4.0 or later, upgrade to SQL Backup 7.6, which contains a fix.

You should also upgrade all your SQL Backup Agents and we recommend you change the passwords of any affected accounts.

In a clustered environment, you should upgrade the SQL Backup Agents on each node of the cluster. This article has information about installation in clustered environment: https://documentation.red-gate.com/display/SBU7/Installing+the+server+components+on+a+SQL+Server+cluster

You shouldn't need to reboot your servers.


I'm using a version of SQL Backup that's earlier than version 7.4 – am I affected?

No. The vulnerability was introduced in SQL Backup Pro 7.4. If you're using an earlier version, such as SQL Backup Pro 7.3 or SQL Backup Pro 6, you won't be affected.


I upgraded to SQL Backup Pro 7.4/7.5 from an older version – am I affected?

The vulnerability affects new installations of the SQL Backup Agent service. It does not affect an upgrade of the SQL Backup Agent service from an older version.

If you continue to run SQL Backup Pro 7.4/7.5, then you're still able to install the version of the SQL Backup Agent with this vulnerability. For this reason, we suggest you upgrade to SQL Backup Pro 7.6 as a precaution.


I can't upgrade SQL Backup Pro right now – what should I do?

Use our standalone utility to fix the problem for now, and upgrade later.

In a clustered environment, you should run the utility on each node of the cluster.

Don't install the SQL Backup Agent again until you upgrade to v7.6


I uninstalled SQL Backup Pro – am I still affected?

Yes, but you can fix the problem with the standalone utility.

Download the utility and run it on any servers where you installed the SQL Backup Agent service.

If you installed the SQL Backup Agent service in a clustered environment, you should run the utility on each node of the cluster.


For more information, contact Redgate Support

US & Canada:

1 866 627 8107

support@red-gate.com

UK:

0800 169 7433 (free phone)

support@red-gate.com

Other countries:

+44 (0)1223 437 901

support@red-gate.com