question

StuartCox-7029 avatar image
0 Votes"
StuartCox-7029 asked vipulsparsh-MSFT commented

SQL Server Vulnerability VA2129 - Changes to signed modules should be authorized (msdb)

Standing up default VM's hosting SQL Server in Azure, working through Azure Security Center recommendations. We're getting Azure Security Center recommendations with High severity on 255 objects that are created in the msdb database when the server is deployed.

VA2129 - Changes to signed modules should be authorized

All of the modules returned are in MSDB, all signed with ##MS_AgentSigningCertificate##.

I am getting the same issue regardless of SQL or OS version:
- SQL 2014 Developer Edition on Windows Server 2012 R2 (244 modules)
- SQL 2017 Developer Edition on Windows Server 2016 (255 modules)
- SQL 2019 Developer Edition on Windows 2019 (255 modules)

Is this a bug in Security Center, maybe an issue with Developer Edition, or some other issue? It seems like a bug, but wanted to verify before we baseline this as a known issue.

Here are the msdb modules throwing this issue:
[dbo].[sp_help_jobhistory_summary]
[dbo].[sysmail_help_profileaccount_sp]
[dbo].[sp_help_jobhistory]
[dbo].[sysmail_configure_sp]
[dbo].[sp_add_jobserver]
[dbo].[sysmail_help_configure_sp]
[dbo].[sp_delete_jobserver]
[dbo].[sysmail_help_configure_value_sp]
[dbo].[sp_help_jobserver]
[dbo].[sysmail_add_principalprofile_sp]
[dbo].[sp_help_downloadlist]
[dbo].[sysmail_update_principalprofile_sp]
[dbo].[sp_enum_sqlagent_subsystems_internal]
[dbo].[sysmail_delete_principalprofile_sp]
[dbo].[sp_enum_sqlagent_subsystems]
[dbo].[sysmail_help_principalprofile_sp]
[dbo].[sp_verify_subsystem]
[dbo].[sysmail_logmailevent_sp]
[dbo].[sp_verify_schedule]
[dbo].[sysmail_start_sp]
[dbo].[sp_add_schedule]
[dbo].[sysmail_stop_sp]
[dbo].[sp_attach_schedule]
[dbo].[sysmail_help_status_sp]
[dbo].[sp_detach_schedule]
[dbo].[sysmail_help_queue_sp]
[dbo].[sp_update_replication_job_parameter]
[dbo].[sp_SendMailMessage]
[dbo].[sp_update_schedule]
[dbo].[sp_isprohibited]
[dbo].[sp_delete_schedule]
[dbo].[sp_SendMailQueues]
[dbo].[sp_get_jobstep_db_username]
[dbo].[sp_ProcessResponse]
[dbo].[sp_verify_jobstep]
[dbo].[sp_MailItemResultSets]
[dbo].[sp_add_jobstep_internal]
[dbo].[sp_process_DialogTimer]
[dbo].[sp_add_jobstep]
[dbo].[sp_readrequest]
[dbo].[sp_update_jobstep]
[dbo].[sp_GetAttachmentData]
[dbo].[sp_delete_jobstep]
[dbo].[sp_RunMailQuery]
[dbo].[sp_help_jobstep]
[dbo].[sp_validate_user]
[dbo].[sp_write_sysjobstep_log]
[dbo].[sp_send_dbmail]
[dbo].[sp_help_jobsteplog]
[dbo].[sp_ExternalMailQueueListener]
[dbo].[sp_delete_jobsteplog]
[dbo].[sp_sysmail_activate]
[dbo].[sp_get_schedule_description]
[dbo].[sp_add_jobschedule]
[dbo].[sp_update_jobschedule]
[dbo].[sp_delete_jobschedule]
[smart_admin].[sp_create_job]
[dbo].[sp_help_schedule]
[smart_admin].[sp_add_task_command]
[dbo].[sp_maintplan_delete_log]
[dbo].[sp_help_jobschedule]
[smart_admin].[sp_set_db_backup]
[dbo].[sp_maintplan_delete_subplan]
[dbo].[sp_verify_job]
[dbo].[sp_maintplan_update_subplan_tsx]
[dbo].[sp_add_job]
[dbo].[sp_maintplan_subplans_by_job]
[dbo].[sp_update_job]
[dbo].[sp_maintplan_open_logentry]
[dbo].[sp_delete_job]
[smart_admin].[sp_get_backup_diagnostics]
[dbo].[sp_maintplan_close_logentry]
[dbo].[sp_get_composite_job_info]
[dbo].[sp_maintplan_update_log]
[dbo].[sp_help_job]
[dbo].[sp_maintplan_update_subplan]
[dbo].[sp_help_jobcount]
[dbo].[sp_maintplan_delete_plan]
[dbo].[sp_help_jobs_in_schedule]
[dbo].[sp_maintplan_start]
[dbo].[sp_manage_jobs_by_login]
[dbo].[sp_clear_dbmaintplan_by_db]
[dbo].[sp_apply_job_to_targets]
[dbo].[sp_add_maintenance_plan]
[dbo].[sp_remove_job_from_targets]
[dbo].[sp_delete_maintenance_plan]
[dbo].[sp_get_job_alerts]
[dbo].[sp_add_maintenance_plan_db]
[dbo].[sp_start_job]
[dbo].[sp_delete_maintenance_plan_db]
[dbo].[sp_stop_job]
[dbo].[sp_add_maintenance_plan_job]
[dbo].[sp_cycle_agent_errorlog]
[dbo].[sp_delete_maintenance_plan_job]
[dbo].[sp_get_chunked_jobstep_params]
[dbo].[sp_help_maintenance_plan]
[dbo].[sp_check_for_owned_jobs]
[dbo].[sp_check_for_owned_jobsteps]
[dbo].[sp_sqlagent_refresh_job]
[dbo].[sp_jobhistory_row_limiter]
[dbo].[sp_add_log_shipping_monitor_jobs]
[dbo].[sp_add_log_shipping_primary]
[dbo].[sp_add_log_shipping_secondary]
[dbo].[sp_delete_log_shipping_monitor_jobs]
[dbo].[sp_delete_log_shipping_primary]
[dbo].[sp_delete_log_shipping_secondary]
[dbo].[sp_log_shipping_in_sync]
[dbo].[sp_log_shipping_get_date_from_file]
[dbo].[sp_sqlagent_log_jobhistory]
[dbo].[sp_get_log_shipping_monitor_info]
[dbo].[sp_sqlagent_check_msx_version]
[dbo].[sp_update_log_shipping_monitor_info]
[dbo].[sp_sqlagent_probe_msx]
[dbo].[sp_delete_log_shipping_monitor_info]
[dbo].[sp_set_local_time]
[dbo].[sp_remove_log_shipping_monitor_account]
[dbo].[sp_multi_server_job_summary]
[dbo].[sp_log_shipping_monitor_backup]
[dbo].[sp_target_server_summary]
[dbo].[sp_log_shipping_monitor_restore]
[dbo].[sp_uniquetaskname]
[dbo].[sp_change_monitor_role]
[dbo].[sp_addtask]
[dbo].[sp_sqlagent_is_srvrolemember]
[dbo].[sp_create_log_shipping_monitor_account]
[dbo].[sp_droptask]
[dbo].[trig_targetserver_insert]
[dbo].[sp_verify_category_identifiers]
[dbo].[sp_ssis_addlogentry]
[dbo].[sp_add_alert_internal]
[dbo].[sp_ssis_listpackages]
[dbo].[sp_add_alert]
[dbo].[sp_verify_proxy_identifiers]
[dbo].[sp_ssis_listfolders]
[dbo].[sp_delete_alert]
[dbo].[sp_verify_credential_identifiers]
[dbo].[sp_ssis_deletepackage]
[dbo].[sp_help_alert]
[dbo].[sp_verify_subsystems]
[dbo].[sp_ssis_deletefolder]
[dbo].[sp_verify_operator]
[dbo].[sp_verify_subsystem_identifiers]
[dbo].[sp_ssis_getpackage]
[dbo].[sp_add_operator]
[dbo].[sp_verify_login_identifiers]
[dbo].[sp_ssis_getfolder]
[dbo].[sp_update_operator]
[dbo].[sp_verify_proxy]
[dbo].[sp_ssis_putpackage]
[dbo].[sp_help_operator]
[dbo].[sp_add_proxy]
[dbo].[sp_help_operator_jobs]
[dbo].[sp_delete_proxy]
[dbo].[sp_ssis_addfolder]
[dbo].[sp_verify_operator_identifiers]
[dbo].[sp_update_proxy]
[dbo].[sp_ssis_renamefolder]
[dbo].[sp_notify_operator]
[dbo].[sp_sqlagent_is_member]
[dbo].[sp_ssis_setpackageroles]
[dbo].[sp_verify_notification]
[dbo].[sp_verify_proxy_permissions]
[dbo].[sp_ssis_getpackageroles]
[dbo].[sp_add_notification]
[dbo].[sp_help_proxy]
[dbo].[sp_update_notification]
[dbo].[sp_delete_notification]
[dbo].[sp_grant_proxy_to_subsystem]
[dbo].[sp_help_notification]
[dbo].[sp_grant_login_to_proxy]
[dbo].[sp_help_jobactivity]
[dbo].[sp_revoke_login_from_proxy]
[dbo].[sp_revoke_proxy_from_subsystem]
[dbo].[sp_enum_proxy_for_subsystem]
[dbo].[sp_sem_add_message]
[dbo].[sp_enum_login_for_proxy]
[dbo].[sp_sem_drop_message]
[dbo].[sp_get_message_description]
[dbo].[sp_sqlagent_get_startup_info]
[dbo].[sp_help_jobhistory_sem]
[dbo].[sp_convert_jobid_to_char]
[dbo].[sp_sqlagent_has_server_access]
[dbo].[sp_sqlagent_get_perf_counters]
[dbo].[sp_sqlagent_notify]
[dbo].[sp_is_sqlagent_starting]
[dbo].[sp_verify_job_identifiers]
[dbo].[sysmail_delete_mailitems_sp]
[dbo].[sp_verify_schedule_identifiers]
[dbo].[sp_verify_jobproc_caller]
[dbo].[sp_downloaded_row_limiter]
[dbo].[sp_post_msx_operation]
[dbo].[sp_verify_performance_condition]
[dbo].[sysmail_delete_log_sp]
[dbo].[sp_verify_job_date]
[dbo].[sp_verify_job_time]
[dbo].[sp_verify_alert]
[dbo].[sp_update_alert]
[dbo].[sp_delete_job_references]
[dbo].[sp_delete_all_msx_jobs]
[dbo].[sp_generate_target_server_job_assignment_sql]
[dbo].[sp_generate_server_description]
[dbo].[sp_msx_set_account]
[dbo].[sp_msx_get_account]
[dbo].[sp_delete_operator]
[dbo].[sp_msx_defect]
[dbo].[sp_msx_enlist]
[dbo].[sysmail_verify_accountparams_sp]
[dbo].[sp_delete_targetserver]
[dbo].[sp_enlist_tsx]
[dbo].[sysmail_verify_principal_sp]
[dbo].[sp_get_sqlagent_properties]
[dbo].[sysmail_verify_profile_sp]
[dbo].[sp_set_sqlagent_properties]
[dbo].[sysmail_verify_account_sp]
[dbo].[sp_add_targetservergroup]
[dbo].[sysmail_add_profile_sp]
[dbo].[sp_update_targetservergroup]
[dbo].[sysmail_update_profile_sp]
[dbo].[sp_delete_targetservergroup]
[dbo].[sysmail_delete_profile_sp]
[dbo].[sp_help_targetservergroup]
[dbo].[sysmail_help_profile_sp]
[dbo].[sp_add_targetsvrgrp_member]
[dbo].[sysmail_create_user_credential_sp]
[dbo].[sp_delete_targetsvrgrp_member]
[dbo].[sysmail_alter_user_credential_sp]
[dbo].[sp_verify_category]
[dbo].[sysmail_drop_user_credential_sp]
[dbo].[sp_add_category]
[dbo].[sysmail_add_account_sp]
[dbo].[sp_update_category]
[dbo].[sysmail_update_account_sp]
[dbo].[sp_delete_category]
[dbo].[sysmail_delete_account_sp]
[dbo].[sp_help_category]
[dbo].[sysmail_help_account_sp]
[dbo].[sp_help_targetserver]
[dbo].[sysmail_help_admin_account_sp]
[dbo].[sp_resync_targetserver]
[dbo].[sysmail_add_profileaccount_sp]
[dbo].[sp_purge_jobhistory]
[dbo].[sysmail_update_profileaccount_sp]
[dbo].[sp_help_jobhistory_full]
[dbo].[sysmail_delete_profileaccount_sp]



azure-security-centerazure-sql-virtual-machines
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@StuartCox-7029 Thanks for reaching out and apologies for delay on this.

The product group is aware of this and is investigating further about this query for rule : VA2129
We will share any further information around this here and keep you posted with the update.

0 Votes 0 ·

0 Answers