Vulnerability 000015758

2022-03-31 (first published 2021-02-22)

Snow has discovered a potential security vulnerability in Snow Inventory Agent for Windows, versions 5.3.1 to 6.7.0. The vulnerability results from an issue in a third-party component, CPUID, that could allow escalated privileges if exploited. Snow is urging all customers with Snow Inventory Agent for Windows 5.3.1 to 6.7.0 to remediate the vulnerability as soon as possible.

The vulnerability was discovered as part of our bug bounty program, and there are no current or prior reports that this vulnerability has been exploited. While the nature of the vulnerability is serious, we are encouraged that our bug bounty program is working as designed and actively flagging potential security issues to quickly address and mitigate them for our customers.

CPUID is used for CPU recognition. The vulnerability exists in Snow Inventory Agent for Windows, versions 5.3.1 to 6.7.0, if CPUID is enabled.

From version 6.7.1 of Snow Inventory Agent for Windows, the CPUID component has been removed. Snow recommends upgrading to Snow Inventory Agent for Windows, version 6.7.1 or later, to remediate the vulnerability. If upgrading is not an option, the CPUID setting must be disabled, as described in Remediation.