Redgate Test Data Manager

Improve your release quality and reduce your risk, with the flexibility to fit your workflow

Flyway

Automate database deployments across teams and technologies

Redgate Monitor

Understand server performance in an instant with fast deep-dive analysis

See all our products

Overview

Redgate’s end-to-end Database DevOps solutions

Test Data Management

Reliable test data management, automating repetition out of the process

Automate

Automate and accelerate your database change management workflow

Monitor

Monitor your cross-database, multi-platform estate to ensure optimal performance

Security vulnerability in Redgate Monitor

27th May 2015

We recently discovered a security vulnerability in Redgate Monitor.

This issue has been assigned the Common Vulnerabilities and Exposures ID CVE-2015-9098.

This vulnerability would have made it possible for an attacker with network access to the web application or Base Monitor components of Redgate Monitor to access information or perform actions without authorization.

This discovery was made in-house: we don't have any examples of anyone exploiting this vulnerability.

We're really sorry this has happened. We're continuing to work with security experts to make sure we handle this incident in the safest way possible for our customers and users.

What is the vulnerability?

We have discovered that the connection between the Redgate Monitor web application and the Base Monitor service can be compromised.

Am I affected?

This vulnerability exists in all released versions of Redgate Monitor.

Note that this vulnerability does not exist in SQL Response, an older monitoring product that has been retired.

How could this be exploited?

An attacker could circumvent Redgate Monitor’s user role authentication mechanism (as described at https://documentation.red-gate.com/display/SM4/Managing+user+roles).

  • This would provide an unauthorized user with access to any data collected by Redgate Monitor. Depending on the database design, query fragments collected by Deadlock alerts, Long Running Query alerts, or SQL Server Error Log alerts could contain privileged data.
  • Additionally, for Redgate Monitor v3.0 or later, the Custom Metrics feature could allow an attacker to run any T-SQL statement on a monitored server. This could allow someone to change or delete data or databases on the monitored server.

A determined attacker could create a malicious endpoint (e.g. a custom client, server, or proxy) to gain access to additional data communicated to and stored by a vulnerable Base Monitor service.

  • This could reveal the SMTP credentials, which could lead to further exploit if these are reused elsewhere.
  • The SQL Server and machine credentials used by the Base Monitor service are stored encrypted in the Data Repository; however, if credentials were entered into the Redgate Monitor web application during an ongoing malicious endpoint attack, these could be visible to an attacker.
  • Note: due to the nature of the vulnerability, it is very unlikely that an attacker could divine the mechanism by which they could launch a malicious endpoint attack.

Further mitigating factors

The following are additional mitigating factors:

  • For exploits against the Base Monitor, the attacker would need to be able to communicate with the Base Monitor component of Redgate Monitor, which listens by default on TCP port 7399.
  • For exploits against the web application, the attacker would need to be able to communicate with the web application component of Redgate Monitor, which listens by default on TCP port 8080 when running under Redgate Monitor’s built-in web server.
  • For either exploit, this typically means that an attacker would either need to be on your network, or would need to circumvent your normal network security mechanisms such as firewalls.

How can I resolve this vulnerability?

We have made fixes available in both the v3 and v4 release streams of Redgate Monitor.

Download Redgate Monitor v3.10 Download Redgate Monitor v4.2

Any Redgate Monitor customer can upgrade to either of these releases, regardless of their support status.

Note: Under some circumstances, the Redgate Monitor installer can report an error message "Port is not available". If you encounter this error, you will need to stop the Redgate Monitor Windows services before you run the installation.

  1. From the Start Menu, open services.msc.
  2. Locate the services named "Redgate Monitor [*] Base Service" (and, if you're using Redgate Monitor's own web server "Redgate Monitor [*] Web Service") - where [*] stands for the version you have installed.
  3. Right click on each of these services and select "Stop".
  4. Re-run the installer.

If you are unable to upgrade Redgate Monitor, then you could instead secure the port on the machine running the Base Monitor, to only allow connections from the web server running the Redgate Monitor web application. The port used is configured during installation: the default port is 7399, but you can check this via the Redgate Monitor UI (go to Configuration -> About).

Please note that, due to the wide variety of firewall technologies, Redgate cannot offer customer support on firewall configuration settings.

Are there any implications of upgrading to Redgate Monitor v4.2?

For Redgate Monitor v4 customers upgrading to Redgate Monitor v4.2:

  • There are no performance implications.
  • There are no data collection or storage change implications.
  • If you upgrade from a version earlier than v4.1.1, there are schema changes associated with upgrading to Redgate Monitor v4.2. Before you upgrade to a later version, we recommend that you back up your current Data Repository. Once the upgrade is completed, you won't be able to roll back to a previous version of your Data Repository database.

For Redgate Monitor v2 or v3 customers, upgrading to Redgate Monitor v4.2:

  • There may be a small additional performance load (up to 10%) on the machine running the Base Monitor service.
  • There is a small (less than 10%) increase in the rate of data collection, and in storage requirements for the Data Repository.
  • There are schema changes associated with upgrading to Redgate Monitor v4.2. Before you upgrade to a later version, we recommend that you back up your current Data Repository. Once the upgrade is completed, you won't be able to roll back to a previous version of your Data Repository database.

Are there any implications of upgrading to Redgate Monitor v3.10?

For Redgate Monitor v3 customers upgrading to Redgate Monitor v3.10:

  • There are no performance implications.
  • There are no data collection or storage change implications.
  • There are no schema change implications.

For Redgate Monitor v2 customers, upgrading to Redgate Monitor v3.10:

  • There are no performance implications.
  • There are no data collection or storage change implications.
  • There are schema changes associated with upgrading to Redgate Monitor v3.10. Before you upgrade to a later version, we recommend that you back up your current Data Repository. Once the upgrade is completed, you won't be able to roll back to a previous version of your Data Repository database.

For more information, contact Redgate Support:

US & Canada (toll free):
1 866 627 8107
Support

UK (free phone):
0800 169 7433
Support

Other countries:
+44 (0)1223 437 901
Support