CVE-2023-34230
📋 TL;DR
The Snowflake Connector for .NET is vulnerable to command injection via SSO URL authentication, allowing remote code execution if an attacker tricks a user into visiting a maliciously crafted connection URL. This affects all users of snowflake-connector-net versions prior to 2.0.18 who use SSO authentication.
💻 Affected Systems
- snowflake-connector-net
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution on the user's local machine, potentially leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Targeted phishing attacks against Snowflake users leading to malware installation or credential theft from individual workstations.
If Mitigated
Limited impact with proper URL whitelisting and anti-phishing controls, potentially preventing successful exploitation even if users are tricked.
🎯 Exploit Status
Exploitation requires both a malicious server setup and successful phishing of users. The attack chain has multiple steps but is technically feasible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.18
Vendor Advisory: https://github.com/snowflakedb/snowflake-connector-net/security/advisories/GHSA-223g-8w3x-98wr
Restart Required: Yes
Instructions:
1. Update snowflake-connector-net to version 2.0.18 or later via NuGet package manager. 2. Restart any applications using the connector. 3. Verify the update was successful.
🔧 Temporary Workarounds
URL Whitelisting
allImplement strict URL whitelisting for SSO authentication endpoints to prevent connections to malicious servers.
Disable SSO Authentication
allTemporarily disable SSO URL authentication and use alternative authentication methods if possible.
🧯 If You Can't Patch
- Implement strict network controls to block connections to untrusted external servers from workstations using the connector.
- Enhance anti-phishing training and controls to prevent users from clicking on suspicious connection URLs.
🔍 How to Verify
Check if Vulnerable:
Check the installed version of Snowflake.Data (snowflake-connector-net) via NuGet package manager or by examining the assembly version.Check Version:
In PowerShell: Get-Package -Name Snowflake.Data | Select-Object VersionVerify Fix Applied:
Confirm that Snowflake.Data version is 2.0.18 or higher in your project dependencies.📡 Detection & Monitoring
Log Indicators:
- Unusual SSO authentication attempts to non-standard domains
- Process creation events from snowflake-connector-net processes
Network Indicators:
- Outbound connections from workstations to unknown or suspicious domains during SSO authentication
SIEM Query:
Process creation where parent_process contains 'snowflake' AND command_line contains unusual characters or domains