GHSA-HWCC-4CV8-CF3H

Vulnerability from github – Published: 2023-12-22 19:51 – Updated: 2023-12-22 19:51
VLAI?
Summary
Snowflake Connector .NET does not properly check the Certificate Revocation List (CRL)
Details

Issue

Snowflake recently received a report about a vulnerability in the Snowflake Connector .NET where the checks against the Certificate Revocation List (CRL) were not performed where the insecureMode flag was set to false, which is the default setting. The vulnerability affects versions between 2.0.25 and 2.1.4 (inclusive). Snowflake fixed the issue in version 2.1.5.

Attack Scenario

Snowflake uses CRL to check if a TLS certificate has been revoked before its expiration date. The lack of correct validation of revoked certificates could, in theory, allow an attacker who has both access to the private key of a correctly issued Snowflake certificate and the ability to intercept network traffic to perform a Man-in-the-Middle (MitM) attack in order to compromise Snowflake credentials used by the driver.

The vulnerability is difficult to exploit given both conditions required and, at the time of this advisory's publication, Snowflake is not aware of any compromise of its certificates, nor unauthorized issuance of such by any publicly trusted Certificate Authority (CA). However, an upgrade to the newest version is recommended to ensure the highest level of security and protection against future unforeseen threats.

Solution

On December 18, 2023, Snowflake released version 2.1.5 of the Snowflake Connector .NET, which fixes the issue, and we recommend users upgrade to version 2.1.5. Customers continuing to use the impacted versions of the connector should update their insecureMode flag to true.

Acknowledgement

Snowflake would like to thank Timo Vink for reporting this vulnerability.

Additional Information

If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our Vulnerability Disclosure Policy.

Severity ?
6.0 (Medium)
CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.4"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Snowflake.Data"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.25"
            },
            {
              "fixed": "2.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-51662"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-22T19:51:09Z",
    "nvd_published_at": "2023-12-22T17:15:10Z",
    "severity": "MODERATE"
  },
  "details": "### Issue\nSnowflake recently received a report about a vulnerability in the Snowflake Connector .NET where the checks against the Certificate Revocation List (CRL) were not performed where the insecureMode flag was set to false, which is the default setting. The vulnerability affects versions between 2.0.25 and 2.1.4 (inclusive). Snowflake fixed the issue in [version 2.1.5](https://docs.snowflake.com/release-notes/clients-drivers/dotnet-2023#version-2-1-5-december-18-2023).\n\n### Attack Scenario\nSnowflake uses CRL to check if a TLS certificate has been revoked before its expiration date. The lack of correct validation of revoked certificates could, in theory, allow an attacker who has both access to the private key of a correctly issued Snowflake certificate and the ability to intercept network traffic to perform a Man-in-the-Middle (MitM) attack in order to compromise Snowflake credentials used by the driver.\n\nThe vulnerability is difficult to exploit given both conditions required and, at the time of this advisory\u0027s publication, Snowflake is not aware of any compromise of its certificates, nor unauthorized issuance of such by any publicly trusted Certificate Authority (CA). However, an upgrade to the newest version is recommended to ensure the highest level of security and protection against future unforeseen threats.\n\n### Solution\nOn December 18, 2023, Snowflake released [version 2.1.5](https://docs.snowflake.com/release-notes/clients-drivers/dotnet-2023#version-2-1-5-december-18-2023) of the Snowflake Connector .NET, which fixes the issue, and we recommend users upgrade to [version 2.1.5](https://docs.snowflake.com/release-notes/clients-drivers/dotnet-2023#version-2-1-5-december-18-2023).  Customers continuing to use the impacted versions of the connector should update their insecureMode flag to true. \n\n### Acknowledgement\nSnowflake would like to thank [Timo Vink](https://github.com/TimoVink) for reporting this vulnerability.\n\n### Additional Information\nIf you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our [Vulnerability Disclosure Policy](https://hackerone.com/snowflake?type=team).",
  "id": "GHSA-hwcc-4cv8-cf3h",
  "modified": "2023-12-22T19:51:09Z",
  "published": "2023-12-22T19:51:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/snowflakedb/snowflake-connector-net/security/advisories/GHSA-hwcc-4cv8-cf3h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51662"
    },
    {
      "type": "WEB",
      "url": "https://github.com/snowflakedb/snowflake-connector-net/commit/49cb77ddd6e18c110eca35aa580e89d73c46cc33"
    },
    {
      "type": "WEB",
      "url": "https://docs.snowflake.com/release-notes/clients-drivers/dotnet-2023#version-2-1-5-december-18-2023"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/snowflakedb/snowflake-connector-net"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Snowflake Connector .NET does not properly check the Certificate Revocation List (CRL)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.