Security vulnerability in SQL Monitor

24th February 2021

Summary

SQL Monitor versions 9.0.4 to 11.0.18 (inclusive) have a security vulnerability in the access control feature for non-administrator users of SQL Monitor, when Active Directory authentication is enabled. There was a flaw in the check to see if a user could access a monitored server, triggered if the full name of the server contains the full name of any other monitored server.

What's the risk?

As an example, if there are two monitored servers, server.example.com and secret-server.example.com, and a user was only granted access to server.example.com, they would also be incorrectly granted access to secret-server.example.com within SQL Monitor, because the name secret-server.example.com contains the name server.example.com.

If a user is incorrectly granted access to a server, it will automatically appear in the Global Dashboard, all alerts for the server will be visible in the Alert Inbox, and the user can access all information shown in the Server Overview. How the user can interact with the server is still constrained by their SQL Monitor user role (Standard user, Reports user or Read-only user).

This vulnerability carries a CVSS 3.1 score of 5.4 (medium).

How can I resolve this vulnerability

SQL Monitor 11.0.19 fixes this vulnerability. This is a free upgrade for all licensed users of SQL Monitor 11.

If you cannot upgrade to SQL Monitor 11.0.19, the issue can be avoided by ensuring that monitored server names don't conflict. If there are any conflicts, this can be addressed by removing one of the conflicted servers. If necessary, an alternate DNS entry can be created for the conflicted server, so that it can then be re-added to SQL Monitor with a new non-conflicting name.

How does Redgate ensure its products are secure?

All our product teams receive training in secure development practices, and we peer review all code changes. We use extensive suites of automated checks.

Unfortunately, vulnerabilities do occasionally occur. We aim to fix and announce them promptly when we discover them, and provide information on our website when this happens. You can find out more in our product security policy.