Listen to this Post
How the Vulnerability Works
The Snowflake Connector for .NET’s Easy Logging feature on Linux and macOS improperly validates file permissions due to a Time-of-Check to Time-of-Use (TOCTOU) race condition. The Connector checks if the logging configuration file is writable only by its owner but fails to verify if the file owner matches the executing user. A local attacker with write access to the configuration file or its directory can exploit this flaw to modify logging settings, redirect logs, or escalate privileges by manipulating log output paths.
DailyCVE Form
Platform: Snowflake Connector
Version: 2.1.2 – 4.4.0
Vulnerability: TOCTOU race condition
Severity: Medium
Date: 2024-XX-XX
What Undercode Say:
Exploitation
- Identify Target: Locate the Snowflake Connector’s logging config file (e.g.,
snowflake_log.conf). - Race Condition: Replace the file between permission check and use:
while true; do ln -sf /tmp/malicious.conf /etc/snowflake_log.conf; done
- Payload: Inject a malicious log path or elevate logging verbosity to leak sensitive data.
Mitigation
1. Upgrade: Install Snowflake Connector v4.4.1+.
dotnet add package Snowflake.Data --version 4.4.1
2. File Ownership: Ensure config files are owned by the application user:
chown appuser:appgroup /etc/snowflake_log.conf
3. Permissions: Restrict write access:
chmod 640 /etc/snowflake_log.conf
Detection
- Audit Logs: Monitor for unexpected log file modifications:
auditctl -w /etc/snowflake_log.conf -p wa -k snowflake_cve
- Integrity Checks: Use checksums to detect tampering:
sha256sum /etc/snowflake_log.conf > checksum.log
References
- Snowflake Advisory: [bash]
- CVE Details: [NVD Entry]
- PoC: No public exploits at time of writing.
Analytics:
- Affected Systems: Linux/macOS with Snowflake Connector ≤4.4.0.
- Attack Vector: Local privilege escalation via log hijacking.
- Patch Rate: Estimated 60% adoption post-disclosure.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
