6

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-51662

GHSA ID

GHSA-hwcc-4cv8-cf3h

EPSS Score

0.55188%

CWE

CWE-295

Published

12/22/2023

Updated

12/22/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-51662

CVE-2023-51662: Snowflake Connector .NET does not properly check the Certificate Revocation List (CRL)

Issue

Snowflake recently received a report about a vulnerability in the Snowflake Connector .NET where the checks against the Certificate Revocation List (CRL) were not performed where the insecureMode flag was set to false, which is the default setting. The vulnerability affects versions between 2.0.25 and 2.1.4 (inclusive). Snowflake fixed the issue in version 2.1.5.

Attack Scenario

Snowflake uses CRL to check if a TLS certificate has been revoked before its expiration date. The lack of correct validation of revoked certificates could, in theory, allow an attacker who has both access to the private key of a correctly issued Snowflake certificate and the ability to intercept network traffic to perform a Man-in-the-Middle (MitM) attack in order to compromise Snowflake credentials used by the driver.

The vulnerability is difficult to exploit given both conditions required and, at the time of this advisory's publication, Snowflake is not aware of any compromise of its certificates, nor unauthorized issuance of such by any publicly trusted Certificate Authority (CA). However, an upgrade to the newest version is recommended to ensure the highest level of security and protection against future unforeseen threats.

Solution

On December 18, 2023, Snowflake released version 2.1.5 of the Snowflake Connector .NET, which fixes the issue, and we recommend users upgrade to version 2.1.5. Customers continuing to use the impacted versions of the connector should update their insecureMode flag to true.

Acknowledgement

Snowflake would like to thank Timo Vink for reporting this vulnerability.

Additional Information

If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our Vulnerability Disclosure Policy.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-51662

CVE-2023-51662:

6

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-51662

GHSA ID

GHSA-hwcc-4cv8-cf3h

EPSS Score

0.55188%

CWE

CWE-295

Published

12/22/2023

Updated

12/22/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Snowflake.Data	nuget	>= 2.0.25, <= 2.1.4	2.1.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper CRL check implementation when insecureMode=false. The commit diff shows a critical line change in SFSessionHttpClientProperties.cs where 'CrlCheckEnabled' was flipped from 'insecureMode' to '!insecureMode'. This indicates the original implementation inverted the security logic - when insecureMode was disabled (false), CRL checks were also disabled. The BuildHttpClientConfig function directly controlled this security parameter, making it the vulnerable component. Supporting test changes in SFHttpClientPropertiesTest.cs validate() this behavior by explicitly testing the inverse relationship post-fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-51662: Snowflake Connector .NET does not properly check the Certificate Revocation List (CRL)

Issue

Attack Scenario

Solution

Acknowledgement

Additional Information

CVE-2023-51662:

6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

6

6

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2023-51662: Snowflake Connector .NET does not properly check the Certificate Revocation List (CRL)

Issue

Attack Scenario

Solution

Acknowledgement

Additional Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI