Customers of ServiceNow, a cloud-based platform used to handle IT companies and processes, might be unknowingly exposing confidential info, together with names, cellphone numbers, inside system particulars, and energetic credentials.
Misconfiguration of Information Bases — self-service platforms inside ServiceNow the place customers can create, retailer, and share info akin to articles and guides — may result in unauthorised people getting access to the system. Many organisations use Information Bases as repositories of delicate inside info, akin to the best way to reset firm passwords, how to answer a cyberattack, knowledge associated to HR processes, and extra.
In accordance with a new blog from SaaS safety platform supplier AppOmni, round 60% of exposures contain older variations of Information Bases which might be set as much as enable public entry by default. Others have “Person Standards” — guidelines that outline particular situations for customers to entry or contribute to Information Bases — which might be unintentionally granting entry to unauthenticated customers.
SEE: ServiceNow vs Jira Service Management
ServiceNow is utilized by 85% of Fortune 500, and over a thousand situations are at the moment arrange incorrectly. Many organisations with a number of ServiceNow situations had been discovered to have persistently misconfigured Information Base entry controls, indicating that the settings had been both cloned throughout situations or a basic misunderstanding of how they work exists.
Aaron Costello, chief of SaaS safety analysis at AppOmni, mentioned, “This highlights the pressing want for enterprises to routinely examine and replace their safety configurations to forestall unauthorised entry and shield their knowledge belongings.
“Understanding these points and the best way to mitigate them is important for sustaining strong safety in enterprise SaaS environments.”
This isn’t the primary time ServiceNow has been discovered to have been exposing delicate knowledge as a result of consumer misconfigurations. In 2020, one other researcher reported a similar finding the place Information Base articles had been publicly accessible via a now-secure UI web page.
Ben De Bont, chief info safety officer at ServiceNow, mentioned, “ServiceNow is dedicated to fostering collaboration with the safety group. We’re dedicated to defending our prospects’ knowledge, and safety researchers are necessary companions in our ongoing efforts to enhance the safety of our merchandise.”
What are the Information Base misconfigurations?
AppOmni found three circumstances whereby companies had been placing their ServiceNow Information Bases vulnerable to compromise:
- If utilizing an older model of ServiceNow the place the default settings for Information Base enable public entry when Person Standards aren’t arrange.
- If the “Any Person” and “Any consumer for kb” Person Standards are used as allowlists. Each of those grant entry to unauthenticated customers, which directors could not realise.
- If directors don’t configure denylists, permitting exterior customers to bypass entry controls.
SEE: 6 Best Governance, Risk & Compliance (GRC) Tools for 2024
How attackers can achieve entry to the Information Bases
In accordance with Costello’s proof of idea, attackers can achieve entry to misconfigured Information Bases via Public Widgets, such because the “KB Article Web page” widget, which shows content material from a particular Information Base article.
An attacker can automate requests to search out and entry articles via the widget utilizing a instrument known as Burp Suite. That is simpler with the KB Article Web page widget, which makes use of a predictable format for article IDs of “KBXXXXXXX,” the place X represents a optimistic integer.
Burp Suite’s Intruder characteristic can shortly iterate over these integers and determine articles which may be uncovered unintentionally. It might then return the physique textual content, which can comprise the delicate knowledge of a number of unsecured articles without delay.
Methods to safe Information Bases towards unauthorised entry
Run common diagnostics on Information Base entry controls
ServiceNow’s Person Standards diagnostics instrument permits directors to find out which customers, each authenticated and unauthenticated, have the power to entry Information Bases and particular person articles.
Navigate to /get_public_knowledge_bases.do to determine public Information Bases, and the complete diagnostics instrument at /km_diagnostics.do to determine the entry stage of public and private customers to particular person articles.
Use Enterprise Guidelines to disclaim unauthenticated entry to Information Bases by default
Make sure the “sys_id 6c8ec5147711111016f35c207b5a9969” Enterprise Rule — which provides the Visitor Person to the “Can not Learn and Can not Contribute” Person Standards — is activated for Information Bases.