Alert essentials:
Misconfigurations are exposing ServiceNow Knowledge Bases, likely including organizational names, credentials, phone numbers, and sensitive data.

Over 1000 enterprise versions have been found with the misconfiguration. Mitigate right away if you have a forward-facing instance of ServiceNow Enterprise.

Email Team

Detailed threat description:
Incorrectly configured Knowledge Base (KB) access controls in ServiceNow allow a bad actor to access internal data. The threat actor captures an HTTP request token, queries the public widget to retrieve KB articles, and then brute-forces the IDs of all articles.

Attackers do not have to be authenticated and can systematically move through KB article numbers until they find an exposed one.

An Access Control List (ACL) bypass fix was released for ServiceNow in 2023. Before proceeding with these additional steps, please ensure that this update has been applied to ServiceNow.

Mitigations include:

  • Review ACLs and public-use widgets to ensure they meet business and security needs then assess whether the underlying data should remain publicly accessible
  • Ensure maintenance does not impact the intended functionality, supporting unauthenticated users

If you notice any public functionality affected by this change, please choose one of the following actions:

  • Update the ACL(s) associated with the Table and Field to include the “public” role and remove the script that was added by the maintenance, or create a new ACL for the associated Table and Field to include the “public” role

After updating the ACLs or creating a new ACL, consider taking the following steps for any table that requires public access:

  • Reduce the number of rows to which the public table-level ACL grants access by adding a condition and/or script to the ACL, thereby filtering out rows available publicly
  • Only apply the public role to specific fields that need unauthenticated access
  • All other fields not intended to be public should use a non-public role, which would require an authenticated session
  • Reduce the number of fields available for public access by configuring only required field-level ACLs with the “public” role
    • For the rest of the fields, add another role (which would enforce an authenticated session) on a wildcard field-level ACL
  • Additionally, the following script can be used in an ACL to require the user to be logged in: gs.isLoggedIn()
  • Review public widgets and consider setting the “public” flag to false if they do not align with their use cases
  • If external or mobile access to the instance isn’t necessary, apply IP Address Access Control to restrict access to only known, trusted IP addresses

Impacts on healthcare organizations:
Misconfigurations like this can expose internal secrets and strategies, potentially harming business operations. This risk could damage the hospital’s reputation and lead to financial losses.

Affected products / versions:

KB
ServiceNow KB1553688

Recommendations

Engineering recommendations:

  • Identify if anyone has configured any such ACLs in the organization’s instance of ServiceNow
  • Otherwise, update ACLs to add the following line to the script section of the ACL
    • gs.isLoggedIn()
  • The above will ensure that unauthenticated users cannot read the tables in question via the SimpleListWidget or other public portal widgets
  • Review Access Control Lists (ACLs) that are either empty or include the “Public” role to ensure they align with business and security needs and assess if the underlying data should be publicly accessible
  • Use ServiceNow’s User Criteria diagnostics tool to evaluate User Criteria (UC) and the resources they grant access to pay special attention to any UC that assigns the ‘Guest’ user or includes the ‘public’ role, such as the built-in ‘Any User’ and ‘Guest’ UCs
  • Scrutinize public widgets and consider setting the “Public” flag to false if the open flag does not align with use cases
  • If you determine that external user access or mobile access to the instance is unnecessary, apply IP Address Access Control within the instance to limit access to only known, trusted IP addresses
  • Investigate System Properties that may dictate access to records through a provided role or list of roles

Leadership/ Program recommendations:
This vulnerability highlights the need to keep policies, ACLS, and system configurations current. Doing so helps proactively reduce the risk of potential disasters that could damage reputation, disrupt business operations, or result in financial losses.

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

 

References: