Security vulnerability in SQL Monitor (CVE-2020-15526)

8th July 2020

Summary

SQL Monitor versions 7.1.4 to 10.1.6 (inclusive) have a security vulnerability whereby the scope for disabling some TLS security certificate checks can extend beyond that defined by various options in the Configuration > Notifications pages to disable certificate checking for alert notificartions. These TLS security checks were also ignored whenever VMware machines were being monitored.

This would make SQL Monitor vulnerable to potential man-in-the-middle attacks when sending alert notification emails, posting to Slack or posting to webhooks.

What's the risk?

A person performing man-in-the-middle attacks between SQL Monitor's base monitor and any of the following could potentially gain access to information present in alert notifications, including the names of monitored servers and databases, and the SMTP server credentials or exact URLs used to post these alerts:

  • The SMTP mail server used by SQL Monitor to send alert notification emails.
  • The public Slack API endpoints.
  • The endpoint used to send webhook notifications for alerts.

In addition, if monitoring any SQL Server instances running on a VMware guest OS, the communication between SQL Monitor and the VMware hypervisors or VCenter servers could potentially be intercepted.

Communications between SQL Monitor and the Windows servers and SQL Server instances are not affected by this vulnerability, and Windows or SQL authentication credentials are not at risk. The SQL Monitor web server is not affected by this vulnerability, nor is traffic between users' browsers and SQL Monitor.

This vulnerability carries a CVSS 3.1 score of 4.7 (medium).

How can I resolve this vulnerability

SQL Monitor 10.1.7 fixes this vulnerability. This is a free upgrade for all licensed users of SQL Monitor 10.

If you cannot upgrade to SQL Monitor 10.1.7, the issue can be avoided by disabling any of the "Ignore SSL or TLS certificate errors" options for email or webhook notifications, and avoid monitoring SQL Server instances running on VMware guest OSes. A restart of the SQL Monitor base monitor will also be required.

How does Redgate ensure its products are secure?

All our product teams receive training in secure development practices, and we peer review all code changes. We use extensive suites of automated checks.

Unfortunately, vulnerabilities do occasionally occur. We aim to fix and announce them promptly when we discover them, and provide information on our website when this happens. You can find out more in our product security policy.