gosnowflake Logging Configuration TOCTOU Race Condition Vulnerability

A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability has been identified in the gosnowflake Snowflake Golang driver, affecting versions 1.7.0 prior to 1.13.3. The vulnerability arises in the Easy Logging feature on Linux and macOS, where the driver reads logging configuration from a user-specified file. The driver attempts to verify that the configuration file is writable only by its owner, but this check is flawed. It creates a TOCTOU race condition by not properly validating that the file owner aligns with the user executing the driver. As a result, a local attacker with write access to the configuration file or its containing directory could manipulate the configuration, potentially gaining control over the logging level and output location.

Impact

Exploitation of this vulnerability could allow a local attacker to overwrite the logging configuration, thereby gaining control over the logging level and output location.

Reproduction

The vulnerability can be reproduced by using the Easy Logging feature of the gosnowflake driver on a Linux or macOS system. A user must provide a configuration file that the driver will read. If the file's permissions allow it to be written by others, the driver may incorrectly validate the file's ownership. This creates a window of opportunity for an attacker to exploit the race condition, especially if they have write access to the configuration file or the directory it resides in.

Remediation

Users are advised to upgrade to gosnowflake version 1.13.3, which addresses this vulnerability.