-
Título
Safeguard Privilege Manager for Windows Security Vulnerability Notification for CVE-2024-49591 -
Descrição
If an administrator configured SQL Server through the Console, sensitive information (such as SQL Server Service Account credentials) supplied during configuration may be stored insecurely.
-
Resolução
Resolution
For new installations:
Use versions 4.5.3, 4.6.1 or 4.7.1 for new deployments as these close this vulnerability. The fix will be included in future releases.
Vulnerable versions will no longer be available for download.Further details and mitigation factors:
1. Administrators should search in the log files (PADataCollectionManager.txt and PAConsole_Log.txt) located here:
%ProgramData%\One Identity\Safeguard Privilege Manager for Windows
or
%ProgramData%\Privilege Authority
For example:
- Searching in the log file PADataCollectionManager.txt for ‘SQLSVCPASSWORD’ and remove sensitive information manually from this log file if any exist.
- Searching in the log file PAConsole_Log.txt for 'Create Reporting Database' and remove sensitive information manually from this log file if any exist.
This has to be done every time a SQL Server setup is ran while using the older versions where credentials are entered in the setup wizard for either a new SQL Server Express installation using a SQL Server Express Service Account or when connecting to an existing SQL Server with Use SQL Server Authentication using a local database user as 'sa' login.
2. Administrators should change the password for the Windows service account and update the Log on details of the SQL Server Service with the new password.
In SQL Server Configuration Manager
- Right Click on SQL Server (InstanceName) > Select properties
- In Log On tab > type the new password in the Password and Confirm Password boxes then select OK.Note: The password takes effect immediately, without restarting SQL Server
3. Administrators should change the password of the ‘sa’ user of the SQL Server instance
In SQL Server Management Studio
- Login to the SQL Server instance
- In the Object Explorer, expand Security and then Logins
- Double click the SA user login
- In General page, Type the new Password and Confirm Password
- Click Ok