Vulnerability description

Snow has discovered a potential security vulnerability in Snow Inventory Agent for Windows, versions 5.3.1 to 6.7.0. The vulnerability results from an issue in a third-party component, CPUID, that could allow escalated privileges if exploited. Snow is urging all customers with Snow Inventory Agent for Windows 5.3.1 to 6.7.0 to remediate the vulnerability as soon as possible.

The vulnerability was discovered as part of our bug bounty program, and there are no current or prior reports that this vulnerability has been exploited. While the nature of the vulnerability is serious, we are encouraged that our bug bounty program is working as designed and actively flagging potential security issues to quickly address and mitigate them for our customers.

CPUID is used for CPU recognition. The vulnerability exists in Snow Inventory Agent for Windows, versions 5.3.1 to 6.7.0, if CPUID is enabled.

From version 6.7.1 of Snow Inventory Agent for Windows, the CPUID component has been removed. Snow recommends upgrading to Snow Inventory Agent for Windows, version 6.7.1 or later, to remediate the vulnerability. If upgrading is not an option, the CPUID setting must be disabled, as described in Remediation.

Affected environments

  • Inventory Agent for Windows 5.3.1

  • Inventory Agent for Windows 6.0.0 to 6.7.0

Support

If you have questions or concerns regarding the vulnerability and the remediation process, reach out to your Snow contact or raise a new case with Snow Support.

If a partner hosts your Snow instance, please reach out to your partner to remedy the vulnerability.