Vulnerability description

Snow has discovered a potential security vulnerability in Snow Inventory Agent for Windows. The vulnerability results from an issue in a third-party component, CPUID, that could allow escalated privileges if exploited. Snow is urging all customers with Snow Inventory Agent for Windows 5.3.1 and later to take action as soon as possible.

The vulnerability was discovered as part of our bug bounty program, and there are no current or prior reports that this vulnerability has been exploited. While the nature of the vulnerability is serious, we are encouraged that our bug bounty program is working as designed and actively flagging potential security issues to quickly address and mitigate them for our customers.

CPUID is used for CPU recognition. The vulnerability exists if CPUID is enabled. CPUID can be disabled by using the Snow Inventory Agent for Windows configuration setting hardware.scan.enable_cpuid.

Affected environments

  • Inventory Agent for Windows 5.3.1

  • Inventory Agent for Windows 6 (all versions)

Support

If you encounter issues while applying the fix or have questions or concerns, reach out to your Snow contact or raise a new case with Snow Support.

If a partner hosts your Snow instance, please reach out to your partner to implement the fix.