Skip to main content

Vulnerability 000015758

2022-03-31 (first published 2021-02-22)

Flexera has discovered a potential security vulnerability in Snow Inventory Agent for Windows, versions 5.3.1 to 6.7.0. The vulnerability results from an issue in a third-party component, CPUID, that could allow escalated privileges if exploited. Flexera is urging all customers with Snow Inventory Agent for Windows 5.3.1 to 6.7.0 to remediate the vulnerability as soon as possible.

The vulnerability was discovered as part of our bug bounty program, and there are no current or prior reports that this vulnerability has been exploited. While the nature of the vulnerability is serious, we are encouraged that our bug bounty program is working as designed and actively flagging potential security issues to quickly address and mitigate them for our customers.

CPUID is used for CPU recognition. The vulnerability exists in Snow Inventory Agent for Windows, versions 5.3.1 to 6.7.0, if CPUID is enabled.

From version 6.7.1 of Snow Inventory Agent for Windows, the CPUID component has been removed. Flexera recommends upgrading to Snow Inventory Agent for Windows, version 6.7.1 or later, to remediate the vulnerability. If upgrading is not an option, the CPUID setting must be disabled, as described in Remediation.

Affected environments

  • Inventory Agent for Windows 5.3.1

  • Inventory Agent for Windows 6.0.0 to 6.7.0

Support

If you have questions or concerns regarding the vulnerability and the remediation process, reach out to your Flexera contact or raise a new case with Flexera Support.

If a partner hosts your environment, please reach out to your partner to remedy the vulnerability.