We recently discovered a security vulnerability affecting all versions of Redgate Monitor up to 8.0.18, whereby an already-logged-in user of Redgate Monitor who is tricked into visiting a malicious website or link could unknowingly be forced to perform actions in Redgate Monitor, as well as to reveal some types of data to the attacker.
There is no evidence that this vulnerability has been exploited in the wild, and no customer data has been exposed as a result of it - this is not a data breach. We strongly advise all Redgate Monitor users to patch this vulnerability by updating to the latest stable release, 8.0.19, at their earliest convenience.
This vulnerability affects all Redgate Monitor versions up to and including version 8.0.18. You can find your current version by opening Redgate Monitor, navigating to the Configuration tab, and clicking About. Version 8.0.19 which resolves this vulnerability was released as the new recommended stable release on October 10th 2018.
We strongly advise you update Redgate Monitor to the latest stable version, which as of today is version 8.0.19. If you are currently running a licensed copy of Redgate Monitor 8.0.0 & above, are in the process of evaluating Redgate Monitor, or have an active Support & Upgrades plan, this is a free upgrade.
You should download the latest version here and update each copy of Redgate Monitor you are running.
Get the latest version of Redgate Monitor
If you are unable to update at this time, either because you don’t have an active Support & Upgrades plan or because timing makes it impossible, we suggest mitigating the dangers of this attack by only accessing Redgate Monitor from your browser’s Private Browsing / Incognito mode. This vulnerability can only be exploited by targeting browser sessions which are already logged in to Redgate Monitor, so isolating your use of Redgate Monitor to a private session dramatically reduces the likelihood of malicious content having access to the Redgate Monitor browsing session.
If you do not have a current Support & Upgrades plan in place but would like to update, please contact sales@red-gate.com to discuss your options.
Some areas of Redgate Monitor were found to be vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. If an already-logged-in user of Redgate Monitor is tricked into visiting a malicious website or link, the attacker could perform actions in Redgate Monitor, including adding / removing servers, as well as setting up custom metrics. They could also reveal some types of data - this would not directly include data from monitored servers, but could theoretically include monitoring data such as executed queries, which in some contexts could contain sensitive information.
To be successful, the attacker would also need to know the address of the Redgate Monitor installation.
You can read more about the nature of these attacks on the website of the OWASP Foundation: XSS / CSRF.
As well as rapidly patching these issues, all developers have taken part in mandatory multi-day security training to supplement training which was already in place. It remains our policy that all code is reviewed by at least one developer who hasn’t worked on it before being merged, which greatly reduces the likelihood of mistakes occurring.
In addition to significant security testing by the Redgate Monitor team itself, we also engaged a third-party penetration testing company to conduct a further audit of Redgate Monitor, which did not identify any additional issues.
We take security seriously, and will be considering other improvements to our processes to help make a vulnerability like this less likely in the future.
