Cloud Security, Application security, Patch/Configuration Management

Foreign threat actors exploit ServiceNow bugs

Share
Close up of ServiceNow logo at their headquarters in Silicon Valley; ServiceNow, Inc. is an American cloud computing company

UPDATE (July 30): ServiceNow said it has not observed the activity mentioned by Resecurity to instances ServiceNow hosts, but encouraged self-hosted and ServiceNow-hosted customers to apply relevant patches it deployed.

So many major companies use ServiceNow — 85% of the Fortune 500 — that it’s definitely serious that foreign threat actors were observed exploiting two critical flaws and one medium-severity bug in the ServiceNow IT service-ticket platform.

In a July 24 blog post, Resecurity researchers said these flaw could let unauthenticated remote attackers execute arbitrary code within the Now Platform, potentially leading to compromise, data theft, and disruption of business operations. NIST described the bugs as input validation vulnerabilities that were identified in Now Platform releases for Vancouver and Washington, D.C. 

Based on its research Resecurity said there are approximately 300,000 ServiceNow instances that attackers could potentially probe remotely. The researchers said this confirmed the broad-scale and significant penetration of this solution in enterprise environments globally. The largest number of instances were identified in the United States, the United Kingdom, India, and the European Union.

The critical bugs are tracked as CVE-2024-4879 and CVE-2024-5217 and have a CVSS score of 9.3 and 9.2, respectively. The other bug, CVE-2024-5178, was given a CVSS score of 6.9. More than two weeks ago, ServiceNow released patches and hotfixes to mitigate these vulnerabilities.

When an attacker identifies an input validation flaw, it paves the way for them to inject malicious code — thereby compromising the system and/or allowing them to exfiltrate data, said Guy Rosenthal, vice president of product for DoControl. The vulnerabilities let a cybercriminal read files, which means that the attacker could traverse a system and manipulate file paths and have a wide berth to go anywhere and access anything that they’d like to see or steal, Rosenthal continued. Furthermore, the vulnerabilities lead to remote execution of the malicious code that they placed in a system during the input validation flaw.

“These three vulnerabilities gave the attacker free reign within the ServiceNow platform,” said Rosenthal. “Using a secure software development lifecycle is an important step that software engineering teams can implement. Using an SDLC doesn’t add additional time to workflows and the results of testing for these vulnerabilities equate to cleaner code and increased customer satisfaction.”

John Bambenek, president at Bambenek Consulting, explained that input validation flaws are where an application expects one type of input (such as a phone number), but gets something else (a shell script). Bambenek said in this case, users without any authentication can issue commands to ServiceNow installations and extract information.

“Due to the nature of what ServiceNow does, the data in these applications is a treasure trove of sensitive technical details of how an organization runs its technology,” said Bambenek. "Beyond patching, organizations could have a web application firewall in front of these applications that can help discover and block aberrant inputs.”

An In-Depth Guide to Cloud Security

Get essential knowledge and practical strategies to fortify your cloud security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.