Security vulnerability in SQL Monitor

27th May 2015

We recently discovered a security vulnerability in SQL Monitor.

This issue has been assigned the Common Vulnerabilities and Exposures ID CVE-2015-9098.

This vulnerability would have made it possible for an attacker with network access to the web application or Base Monitor components of SQL Monitor to access information or perform actions without authorization.

This discovery was made in-house: we don't have any examples of anyone exploiting this vulnerability.

We're really sorry this has happened. We're continuing to work with security experts to make sure we handle this incident in the safest way possible for our customers and users.

What is the vulnerability?

We have discovered that the connection between the SQL Monitor web application and the Base Monitor service can be compromised.

Am I affected?

This vulnerability exists in all released versions of SQL Monitor.

Note that this vulnerability does not exist in SQL Response, an older monitoring product that has been retired.

How could this be exploited?

An attacker could circumvent SQL Monitor’s user role authentication mechanism (as described at http://documentation.red-gate.com/display/SM4/Managing+user+roles).

  • This would provide an unauthorized user with access to any data collected by SQL Monitor. Depending on the database design, query fragments collected by Deadlock alerts, Long Running Query alerts, or SQL Server Error Log alerts could contain privileged data.
  • Additionally, for SQL Monitor v3.0 or later, the Custom Metrics feature could allow an attacker to run any T-SQL statement on a monitored server. This could allow someone to change or delete data or databases on the monitored server.

A determined attacker could create a malicious endpoint (e.g. a custom client, server, or proxy) to gain access to additional data communicated to and stored by a vulnerable Base Monitor service.

  • This could reveal the SMTP credentials, which could lead to further exploit if these are reused elsewhere.
  • The SQL Server and machine credentials used by the Base Monitor service are stored encrypted in the Data Repository; however, if credentials were entered into the SQL Monitor web application during an ongoing malicious endpoint attack, these could be visible to an attacker.
  • Note: due to the nature of the vulnerability, it is very unlikely that an attacker could divine the mechanism by which they could launch a malicious endpoint attack.

Further mitigating factors

The following are additional mitigating factors:

  • For exploits against the Base Monitor, the attacker would need to be able to communicate with the Base Monitor component of SQL Monitor, which listens by default on TCP port 7399.
  • For exploits against the web application, the attacker would need to be able to communicate with the web application component of SQL Monitor, which listens by default on TCP port 8080 when running under SQL Monitor’s built-in web server.
  • For either exploit, this typically means that an attacker would either need to be on your network, or would need to circumvent your normal network security mechanisms such as firewalls.

How can I resolve this vulnerability?

We have made fixes available in both the v3 and v4 release streams of SQL Monitor.

Any SQL Monitor customer can upgrade to either of these releases, regardless of their support status.

Note: Under some circumstances, the SQL Monitor installer can report an error message "Port is not available". If you encounter this error, you will need to stop the SQL Monitor Windows services before you run the installation.

  1. From the Start Menu, open services.msc.
  2. Locate the services named "SQL Monitor [*] Base Service" (and, if you're using SQL Monitor's own web server "SQL Monitor [*] Web Service") - where [*] stands for the version you have installed.
  3. Right click on each of these services and select "Stop".
  4. Re-run the installer.

If you are unable to upgrade SQL Monitor, then you could instead secure the port on the machine running the Base Monitor, to only allow connections from the web server running the SQL Monitor web application. The port used is configured during installation: the default port is 7399, but you can check this via the SQL Monitor UI (go to Configuration -> About).

Please note that, due to the wide variety of firewall technologies, Redgate cannot offer customer support on firewall configuration settings.

Are there any implications of upgrading to SQL Monitor v4.2?

For SQL Monitor v4 customers upgrading to SQL Monitor v4.2:

  • There are no performance implications.
  • There are no data collection or storage change implications.
  • If you upgrade from a version earlier than v4.1.1, there are schema changes associated with upgrading to SQL Monitor v4.2. Before you upgrade to a later version, we recommend that you back up your current Data Repository. Once the upgrade is completed, you won't be able to roll back to a previous version of your Data Repository database.

For SQL Monitor v2 or v3 customers, upgrading to SQL Monitor v4.2:

  • There may be a small additional performance load (up to 10%) on the machine running the Base Monitor service.
  • There is a small (less than 10%) increase in the rate of data collection, and in storage requirements for the Data Repository.
  • There are schema changes associated with upgrading to SQL Monitor v4.2. Before you upgrade to a later version, we recommend that you back up your current Data Repository. Once the upgrade is completed, you won't be able to roll back to a previous version of your Data Repository database.

Are there any implications of upgrading to SQL Monitor v3.10?

For SQL Monitor v3 customers upgrading to SQL Monitor v3.10:

  • There are no performance implications.
  • There are no data collection or storage change implications.
  • There are no schema change implications.

For SQL Monitor v2 customers, upgrading to SQL Monitor v3.10:

  • There are no performance implications.
  • There are no data collection or storage change implications.
  • There are schema changes associated with upgrading to SQL Monitor v3.10. Before you upgrade to a later version, we recommend that you back up your current Data Repository. Once the upgrade is completed, you won't be able to roll back to a previous version of your Data Repository database.

For more information, contact Redgate Support:

US & Canada (toll free):
1 866 627 8107
Support

UK (free phone):
0800 169 7433
Support

Other countries:
+44 (0)1223 437 901
Support