ServiceNow is issuing a hole for a flaw that exposes information aft a interrogator published a method for unauthenticated attackers to bargain an organization's delicate files.
Security interrogator Aaron Costello highlighted evident issues pinch nan default configurations of ServiceNow's widgets, allowing for individual information to beryllium exposed.
ServiceNow's widgets enactment arsenic powerful APIs for nan platform's Service Portal. Despite a codification alteration earlier this twelvemonth to amended safety, nan default configuration of these widgets was to group their records public, meaning that if they're near unchanged, they will return nan type of information an attacker specifies.
Before softly issuing a hole connected October 20, ServiceNow told The Register that it was alert of nan investigation describing "a imaginable misconfiguration issue." However, it didn't opportunity it would make immoderate changes, adding that it useful regularly pinch customers to guarantee information configurations are decently implemented for each unsocial organization.
"We proactively activity pinch customers connected nan ongoing information of their information configurations, including Access Control Lists (ACLs), to guarantee they are decently system and aligned to their intended purpose," a spokesperson said.
"We make these protocols extensible truthful our customers tin configure them based connected their unsocial information needs – from companies pinch nationalist portals providing wide entree to accusation to enterprise-specific usage cases wherever entree is restricted to prime users."
How information is exposed
The rumor revolves astir ServiceNow's widgets that are utilized extensively passim nan platform.
As galore Reg readers know, Widgets are for illustration APIs that tin return input parameters from a personification – a array sanction and section name. A array is for illustration a type of information being stored, specified arsenic personification data, and section sanction refers to a section wrong that table, for illustration first names. By passing circumstantial array and section names into a telephone to a widget, an unauthenticated personification could retrieve nan information they want.
Access Control Lists (ACLs) govern nan entree for resources wrong ServiceNow, for illustration tables, but not widgets themselves. These person a three-part cheque for roles, conditions, and scripts. If an ACL doesn't beryllium for a fixed resource, nan default implementation is to contradict access, but if a assets has an ACL pinch each of nan 3 checks near "empty," entree attempts resoluteness to true.
In his research, Costello suggested that galore of nan ACLs successful usage successful ServiceNow are blank – nan 3 checks are near quiet and truthful entree is granted to imaginable attackers.
The widget Costello utilized successful his research arsenic an illustration is Simple List, nan usability of which is to return grounds information erstwhile array and section names are supplied.
His findings revealed that an attacker who wanted to capitalize connected these misconfigurations could do truthful by crafting a book that targeted a ServiceNow lawsuit and iterated complete a bid of known array and section names, continuously calling a widget to spot if immoderate information was returned.
Personally identifiable accusation (PII) specified arsenic afloat names and email addresses are among nan information that had been retrieved by researchers utilizing this method. Internal documents and incident specifications were besides retrieved by others.
Costello hasn't detected immoderate attempts to utilization these misconfigurations successful information theft attempts. However, he emphasized that he only started search them successful 2021, and nan misconfigurations person been successful play since 2015, erstwhile nan Simple List widget was added to nan platform, meaning it would beryllium very difficult to cheque for humanities attempts.
"It is my knowledge, not a guess, that near-identical vectors beryllium crossed different celebrated SaaS applications, not only ServiceNow and Salesforce," Costello said successful his writeup.
- Hunters International leaks pre-op integrative room pics successful speech no-no
- VMware reveals captious vCenter vuln that you whitethorn person patched already without knowing it
- Hot fuzz: Cascade finds dozens of RISC-V spot bugs utilizing random information storm
- Citrix urges 'immediate; spot for captious NetScaler bug arsenic utilization POC made public
On March 3, 2023, ServiceNow made nan first tweak to its resources that checked whether nan nationalist domiciled was explicitly applied successful nan ACL. If it wasn't, entree would beryllium denied. Costello suggested this didn't spell acold capable arsenic location were different ways to make a assets public.
"We cognize that 1 must fulfill nan role, condition, and scripted parts of an ACL," Costello said. "If 'public' is not defined arsenic a domiciled connected nan ACL, an unauthenticated personification mightiness still walk nan information aliases scripted parts and frankincense beryllium granted access.
"Even much apt is nan ACL is wholly quiet of a defined role, condition, aliases script; allowing an unauthenticated personification entree to nan resource."
The interrogator was keen to item that ServiceNow did not person immoderate nationalist archiving connected nan affected component.
He besides suggested that by issuing an first hole successful March, ServiceNow demonstrated that it knew astir nan issue, but did small to interaction customers alerting them to imaginable information exposure.
"The truth that this widget disaster is known by nan vendor, arsenic proven this twelvemonth by their modifications, yet has existed since 2015 without immoderate publically facing documentation, is appalling," he said.
There does beryllium a precocious published, public-facing ServiceNow support page announcing nan institution was investigating nan issue, but nan customer connection that followed was constricted to customer-only Knowledge Base (KB) articles.
After nan investigation started attracting attraction past week, ServiceNow softly released a 2nd hole for nan rumor that group each blank ACLs to disallow nationalist entree by default.
It announced successful a non-public KB article, seen by The Register, that an update had been applied to each blank ACLs to adhd a book ensuring entree was only granted if a personification was logged in.
While nan institution believes this should spell a agelong measurement successful mitigating immoderate unauthorized entree attempts, it recommended defining nan role, condition, and book checks connected each ACLs utilized successful ServiceNow.
It besides warned that nan update whitethorn person affected customers' instances that intentionally allowed unauthorized users to entree definite resources. In these cases, customers should region nan book that was added to each ACL by nan update and either manually alteration nan nationalist domiciled aliases create a caller ACL for nan array and section and group its domiciled to "public."
For immoderate array that requires nationalist access, customers person been urged to see reducing nan number of rows nan ACL grants nationalist entree to, which tin beryllium done by adding a script, arsenic good arsenic only applying nan nationalist domiciled to nan circumstantial fields that require it.
Widgets should besides beryllium reviewed for "public" flags that aren't necessary, and if outer entree isn't required astatine all, IP entree power should beryllium applied to nan ServiceNow lawsuit to let only trusted IP addresses. ®