Snow has discovered a security vulnerability in the Snow Inventory Agent for Windows. The vulnerability is the result of an issue in a third-party component, CPUID, that could create escalated privileges if exploited. Snow is urging all customers with Snow Inventory Agent for Windows v5.3.1 and above to take action as soon as possible.
Severity
The CVSS score is calculated at 8.3, denoting high severity. However, given the broad footprint of the Snow Inventory Agent, we believe it is important for all customers to follow the remediation steps immediately.
Description
The Snow Inventory Agent uses CPUID to report on processor types and versions that may be deployed and in use across an IT environment. The vulnerability exists if CPUID is enabled, and the issue is remediated by disabling this component via configuration settings.
This vulnerability was discovered as part of our bug bounty program, and there are no current or prior reports that this vulnerability has been exploited. While the nature of the vulnerability is serious, we are encouraged that our bug bounty program is working as designed and actively flagging potential security issues so that we can quickly address and mitigate them for our customers.
Remediation
There are two options for remediation, both of which require the CPUID setting to be disabled:
- Change an existing Snow Inventory Agent for Windows configuration file
- Use Snow Inventory Server Admin Console to deploy an update for Snow Inventory Agent for Windows
Please refer to the technical documentation for step-by-step instructions on how to implement these fixes.
Snow tested the new configuration on its own environments to ensure that any potential issues or problems were discovered and documented properly. Notably, CPU hardware information may look slightly different once a fix is implemented, however calculations and quality of the data will not be impacted. More details are included in the technical documentation.