CVE-2025-24789: Privilege Escalation Vulnerability in Snowflake JDBC Driver with EXTERNALBROWSER Authentication on Windows

Snowflake, a leading cloud-based data warehousing and analytics platform enabling businesses to store and analyze their data, offers a JDBC type 4 driver. The JDBC driver allows Java applications to connect to Snowflake, enabling both core functionality and advanced features. However, a recently discovered vulnerability in the Snowflake JDBC Driver leaves certain systems running Windows exposed to potential attacks. Specifically, when using the EXTERNALBROWSER authentication method on Windows, this vulnerability could result in escalated privileges for attackers.

Vulnerability Details

As mentioned, this exploit only affects systems running the Snowflake JDBC Driver versions 3.2.3 through 3.21. on Windows. When using the EXTERNALBROWSER authentication method, the system can be compromised if an attacker gains write access to a directory present in the %PATH% environment variable.

The issue stems from the way the EXTERNALBROWSER authentication method launches the browser. When called, the vulnerable JDBC Driver version does not properly validate the system's %PATH% variable, potentially allowing arbitrary executables to be executed with the privileges of the user running the JDBC Driver.

Exploit Sample

import java.sql.Connection;
import java.sql.DriverManager;

public class SnowflakeJDBCVulnerability {

  public static void main(String[] args) {
    String connectionString = "jdbc:snowflake://<insert_your_snowflake_account>.snowflakecomputing.com/?user=<insert_your_username>&password=<insert_your_password>&authenticator=externalbrowser";
    
    try (Connection connection = DriverManager.getConnection(connectionString)) {
      System.out.println("Connected to Snowflake using EXTERNALBROWSER authentication.");
    } catch (Exception e) {
      System.err.println("Error connecting to Snowflake: " + e.getMessage());
    }
  }
}

In the vulnerable JDBC Driver versions, this code could potentially allow an attacker with write access to a %PATH% directory to execute arbitrary code.

Mitigation

Snowflake has fixed the vulnerability in version 3.22. of the JDBC Driver. It is strongly advised to update to the latest fixed driver. You can find the latest release at the following link:

Java SE Development Kit 17 Downloads

To further mitigate the risk, restrict write access to directories in the %PATH% environment variable, and limit the number of directories in the %PATH% where possible.

Conclusion

It is crucial to keep your systems up to date and be aware of potential vulnerabilities that could expose your organization to attacks or allow attackers to escalate their privileges. By staying informed and taking measures to address issues like the one detailed above, you can help protect your data and maintain a secure digital environment.

Timeline

Published on: 01/29/2025 18:15:47 UTC