Copy-DbaLogin and Sync-DbaLoginPermission security concern

[simon-appleyard]

Hello.

I am testing using commands Copy-DbaLogin and Sync-DbaLoginPermission to sync logins between AG replicas running on SQL 2019.

Our security team has reported that they receive this error when the commands are run.

The process (powershell.exe) executed the files several files that reside in the folder (c:\program files\windowspowershell\modules\dbatools) and made connections to the malicious IP address; (93.184.220[.]29). The total transmitted data is 1180 B and the received is 4 KB. This IP address was classified as malicious by threat intel. This activity appears to be related to MSSQLSERVER. [Recommendation] It is recommended to blocklist the IP address: (93.184.220[.]29) in your organization's firewall, proxy, mail filtering, and web filtering.

Does anyone know what the 93.184.220.29 IP address is?

Many Thanks

[potatoqualitee]

Hello @simon-appleyard - to enhance security, we sign our module using a Code Signing Certificate from DigiCert. This is Windows checking to ensure the certificate is still valid.

The categorization as a malicious IP is inaccurate.

You can confirm this is a DigiCert IP from their site: https://knowledge.digicert.com/generalinformation/INFO4629.html

iwr http://93.184.220.29 | select -ExpandProperty rawcontent
HTTP/1.1 200 OK
Age: 4684
X-Cache: HIT
Accept-Ranges: bytes
Content-Length: 5
Cache-Control: public, max-age=300
Content-Type: application/ocsp-response
Date: Mon, 12 Dec 2022 12:51:31 GMT
ETag: "5f46cfe9-5"
Last-Modified: Wed, 26 Aug 2020 21:11:05 GMT
Server: ECS (frb/67C0)

https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

If you decide to block it, you may want to Set-ExecutionPolicy bypass otherwise, dbatools will be slow to load as PowerShell can't reach out to see if the certificate has been revoked or not.