Security vulnerability in SQL Monitor

28th November 2019

Summary

We discovered a security vulnerability affecting all versions of SQL Monitor up to 9.2.4, allowing a malicious user with administrative privileges to obtain the SMTP credentials previously configured in the notification settings page.

The vulnerability has a CVSS score of 3.4 (low severity).

We recommend you update to SQL Monitor 9.2.5 or later.

Am I affected?

This vulnerability affects all SQL Monitor versions up to and including version 9.2.4. You can find your current version by opening SQL Monitor, navigating to the Configuration tab, and clicking About.

Version 9.2.5, which resolves this vulnerability, was released on 28th November 2019.

How can I resolve this vulnerability?

We advise you update SQL Monitor to the latest stable version. If you are currently running a licensed copy of SQL Monitor 9.0.0 or later or have an active Support & Upgrades plan, version 9.2.5 is a free update.

You should download the latest version and update each copy of SQL Monitor you are running.

How could this be exploited?

The vulnerability is present in the notification settings page, which is only accessible to administrators of SQL Monitor.

If an SMTP mail server is configured to require a username and password, these credentials can be retrieved by triggering a form validation error on the notification settings page.

Unauthenticated, read-only, or standard users of SQL Monitor are not able to retrieve these credentials.

What if I can't update?

If you are unable to update, we recommend limiting administrative access to SQL Monitor to those users who need to manage its configuration. You can get more information about permissions in SQL Monitor in the product documentation.

If you do not have a current Support & Upgrades plan in place but would like to update, contact sales@red-gate.com to discuss your options.

What measures are you taking to ensure this doesn’t happen again?

As well as rapidly patching this issue, all developers have taken part in mandatory multi-day security training to supplement the training that was already in place. It remains our policy that all code is reviewed by at least one developer who hasn't worked on it before being released, which greatly reduces the likelihood of mistakes occurring.

You can find out more in our product security policy.