We recently discovered a security vulnerability in SQL Monitor.

This issue has been assigned the Common Vulnerabilities and Exposures ID CVE-2015-9098.

This vulnerability would have made it possible for an attacker with network access to the web application or Base Monitor components of SQL Monitor to access information or perform actions without authorization.

This discovery was made in-house: we don't have any examples of anyone exploiting this vulnerability.

We're really sorry this has happened. We're continuing to work with security experts to make sure we handle this incident in the safest way possible for our customers and users.

What is the vulnerability?

We have discovered that the connection between the SQL Monitor web application and the Base Monitor service can be compromised.

Am I affected?

This vulnerability exists in all released versions of SQL Monitor.

Note that this vulnerability does not exist in SQL Response, an older monitoring product that has been retired.

How could this be exploited?

An attacker could circumvent SQL Monitor’s user role authentication mechanism (as described at https://documentation.red-gate.com/display/SM4/Managing+user+roles).

This would provide an unauthorized user with access to any data collected by SQL Monitor. Depending on the database design, query fragments collected by Deadlock alerts, Long Running Query alerts, or SQL Server Error Log alerts could contain privileged data.

Additionally, for SQL Monitor v3.0 or later, the Custom Metrics feature could allow an attacker to run any T-SQL statement on a monitored server. This could allow someone to change or delete data or databases on the monitored server.

A determined attacker could create a malicious endpoint (e.g. a custom client, server, or proxy) to gain access to additional data communicated to and stored by a vulnerable Base Monitor service.

This could reveal the SMTP credentials, which could lead to further exploit if these are reused elsewhere.

The SQL Server and machine credentials used by the Base Monitor service are stored encrypted in the Data Repository; however, if credentials were entered into the SQL Monitor web application during an ongoing malicious endpoint attack, these could be visible to an attacker.

Note: due to the nature of the vulnerability, it is very unlikely that an attacker could divine the mechanism by which they could launch a malicious endpoint attack.

Further mitigating factors

The following are additional mitigating factors: