Horizon Alert
Summary of the vulnerability and why it matters
Improper TLS hostname verification in the Snowflake Connector for Python could allow an attacker with network access to intercept and tamper with data, including credentials and query results, by presenting a forged certificate. This could enable an attacker to execute arbitrary SQL commands within a compromised session, with the impact limited by the privileges of the affected Snowflake role.
- Connectors can be tricked by forged certificates.
- Prevents sensitive data interception and unauthorized commands.
- Confirm connector relevance and check for exposure.
Attack Path
How an attacker could exploit the issue
An attacker positioned on the network could exploit this vulnerability by intercepting or redirecting traffic, then presenting a fake but trusted certificate to the Snowflake Connector for Python. This would trick the connector into accepting the malicious connection without verifying the hostname, potentially exposing sensitive data or allowing unauthorized commands.
- Requires on-path network access.
- Triggers on HTTPS connection establishment.
- Exposes data and allows command injection.
Live Threat
Current exploitation, exposure, and threat context
Improper TLS hostname verification in the Snowflake Connector for Python could allow a network-positioned attacker to bypass certificate validation and accept connections to unauthorized servers. When supported by an on-path network interception capability, this could expose credentials, query data, and staged file contents to interception and tampering, and enable the attacker to issue arbitrary SQL commands.
- Credentials and query data at risk.
- On-path network interception by attacker.
- Interception, tampering, and SQL injection.
Operational Fix
Recommended remediation, mitigation, and detection steps
The Snowflake Connector for Python is a client-side library, meaning ownership likely resides with application development teams or those responsible for managing data pipelines that utilize Snowflake. The first practical step involves identifying all applications and scripts using the connector, assessing their business criticality, and understanding their network exposure to confirm the need for immediate action.
- Application teams own the issue.
- Verify affected application reachability.
- Plan manual connector upgrades.