Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1od2NjLTRjdjgtY2YzaM4AA4AE
Snowflake Connector .NET does not properly check the Certificate Revocation List (CRL)
Issue
Snowflake recently received a report about a vulnerability in the Snowflake Connector .NET where the checks against the Certificate Revocation List (CRL) were not performed where the insecureMode flag was set to false, which is the default setting. The vulnerability affects versions between 2.0.25 and 2.1.4 (inclusive). Snowflake fixed the issue in version 2.1.5.
Attack Scenario
Snowflake uses CRL to check if a TLS certificate has been revoked before its expiration date. The lack of correct validation of revoked certificates could, in theory, allow an attacker who has both access to the private key of a correctly issued Snowflake certificate and the ability to intercept network traffic to perform a Man-in-the-Middle (MitM) attack in order to compromise Snowflake credentials used by the driver.
The vulnerability is difficult to exploit given both conditions required and, at the time of this advisory's publication, Snowflake is not aware of any compromise of its certificates, nor unauthorized issuance of such by any publicly trusted Certificate Authority (CA). However, an upgrade to the newest version is recommended to ensure the highest level of security and protection against future unforeseen threats.
Solution
On December 18, 2023, Snowflake released version 2.1.5 of the Snowflake Connector .NET, which fixes the issue, and we recommend users upgrade to version 2.1.5. Customers continuing to use the impacted versions of the connector should update their insecureMode flag to true.
Acknowledgement
Snowflake would like to thank Timo Vink for reporting this vulnerability.
Additional Information
If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our Vulnerability Disclosure Policy.
Permalink: https://github.com/advisories/GHSA-hwcc-4cv8-cf3hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1od2NjLTRjdjgtY2YzaM4AA4AE
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 4 months ago
CVSS Score: 6.0
CVSS vector: CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
Identifiers: GHSA-hwcc-4cv8-cf3h, CVE-2023-51662
References:
- https://github.com/snowflakedb/snowflake-connector-net/security/advisories/GHSA-hwcc-4cv8-cf3h
- https://nvd.nist.gov/vuln/detail/CVE-2023-51662
- https://github.com/snowflakedb/snowflake-connector-net/commit/49cb77ddd6e18c110eca35aa580e89d73c46cc33
- https://docs.snowflake.com/release-notes/clients-drivers/dotnet-2023#version-2-1-5-december-18-2023
- https://github.com/advisories/GHSA-hwcc-4cv8-cf3h
Blast Radius: 1.0
Affected Packages
nuget:Snowflake.Data
Dependent packages: 0Dependent repositories: 0
Downloads: 7,059,163 total
Affected Version Ranges: >= 2.0.25, <= 2.1.4
Fixed in: 2.1.5
All affected versions: 2.0.25, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4
All unaffected versions: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.0.19, 2.0.20, 2.0.21, 2.0.22, 2.0.23, 2.0.24, 2.1.5, 2.2.0