Microsoft have announced vulnerabilities in versions of two libraries used by Redgate Monitor from 11.2.14 to 14.0.7. The vulnerability can be exploited to read any file on the file system with SYSTEM access permissions. It can only be exploited by a user with local access to the Redgate Monitor base monitor, and cannot be exploited remotely using the Redgate Monitor web interface or API.
Redgate Monitor version 14.0.8 fixes this vulnerability.
The ability to read any file on the file system is a high risk to confidentiality.
Additionally, since version 13.0.0, Redgate Monitor's base monitors create encryption keys to encrypt credentials for monitored instances. These encryption keys are stored in the file system, secured by Windows ACLs. If the vulnerability were exploited by a local user to read both that file and the base monitor's database files (and the database files were not secured by TDE), credentials stored within the database could potentially be decrypted, bypassing that layer of protection. Depending on the privileges associated with the credentials, this could pose a risk to the integrity of the monitored instances and hosts.
Redgate Monitor 14.0.8 updates the affected libraries to versions without the vulnerability. We recommend you upgrade to the latest release as soon as possible.
If you cannot update Redgate Monitor, then you may wish to review which users can access the machines on which your base monitors run.
The initial vulnerability was announced by Microsoft on the11th of June 2024. Redgate has seen no evidence of this vulnerability being exploited in the wild in Redgate Monitor.
All our product teams receive training in secure development practices, and we peer review all code changes. We use extensive suites of automated checks.
Unfortunately, vulnerabilities do occasionally occur. We aim to fix and announce them promptly when we discover them, and provide information on our website when this happens. You can find out more in our product security policy.
