The recent hacks via SolarWinds’ Orion Network Management Software(NMS), was the result of a Supply Chain hack. Companies were “hacked” because their NMS supplier was hacked. The hack on that supplier (SolarWinds), altered the files that customers (users of the NMS) would use to update their systems.
The update’s files were not altered - their certificates were valid. But rather some of the source files used to build those updates.
This brings me to the question of a software supplier’s responsibilities. Not in just what they supply, but what they recommend from third party sites.
I just watched the Epicor Webinar on Technical Tips and Tricks. One part was on SQL maintenance, and referenced Epicor’s KB0075000 (" SQL ADMIN - index maintenance best practices for Epicor ERP"), which includes links to a SQL script to download. The KB then instructs you to run the script on your DB. The links to the script (there are two, each with a different URL), are both external to Epicor.
The first link just references a filename -
maintenancesolution.sql. which when clicked tries to open
http://maintenancesolution.sql/. Which results in Website not found, Server IP address not found. Currently, a domain name can not end with
.sql. But if it could, someone could get that domain name and the switch the SQL script with one of their own.
The second link -
https://ola.hallengren.com/scripts/MaintenanceSolution.sql is a direct download. Doesn’t take you to that websites page for you to do any verification of who you’re downloading from. Even if you did get sent to a landing page, who knows what is in that script.
Epicor really should have a copy on their website, that they control, to make sure it hasn’t been altered in anyway. Instead the KB says to go get this file from some other website, and blindly run it on your SQL server. I understand that they want to provide the original author with the credit, but hot linking to another website seems awfully risky. Especially when the link is for code(the SQL script) to be run at an elevated level on a critical system (your SQL instance).