Alert essentials:
This RCE has low complexity, doesn’t require authorization, and is permissioned as a valid user of ServiceNow.
Version hotfixes and patches should be deployed immediately.
Detailed threat description:
A recently patched input validation with a CVSS score of 9.8 could allow remote execution of arbitrary code with system privileges in ServiceNow’s platform.
Additionally, a blind SQL injection flaw with a CVSS score of 8.7 enables a bad actor to access and retrieve sensitive data. To make matters worse, neither of these weaknesses requires authentication.
No exploits are reported in the wild, and impacted versions need to be added to the current vendor advisory. However, hotfixes and new Washington DC and Vancouver versions are available through ServiceNow’s August and October patching programs.
An updated release of Xanadu, ServiceNow’s latest AI platform, is also ready for use. If not already deployed, apply security patches and hotfixes relevant to your ServiceNow instance as soon as possible.
Impacts on healthcare organizations:
The unavailability of hospital networks during attacks disrupts routine services such as childbirth and vaccinations, leading to preventable deaths and increasing the risk of disease outbreaks.
In the longer term, attacks gravely affect individuals with chronic conditions, which become life-threatening without treatments from technology resources.
Affected Products / Versions
Impacted versions:
Vancouver
Washington
CVEs
CVE-2024-8923
CVE-2024-8924
Recommendations
Engineering recommendations:
- Apply security patches and or hotfixes relevant to your ServiceNow instance as soon as possible
- Review access logs for unauthorized access attempts and address anomalies immediately
- Restrict platform access and enforce MFA where possible
Leadership/ Program recommendations:
ServiceNow platforms have become increasingly attractive to threat actors, with attacks on government agencies, data centers, and major enterprises reported earlier this year.
These attacks highlight the ongoing risk that unpatched ServiceNow vulnerabilities pose to organizations across sectors.
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- ServiceNow: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1706070
- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1706072
- Belgium Cyber Security: https://www.cert.be/en/advisory/warning-critical-vulnerability-servicenow-could-lead-remote-code-execution
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-8923
- Vulnerability Database: https://vuldb.com/?id.282426
