ServiceNow misconfigurations expose Fortune 200 firms' data
Private data belonging to organisations around the globe, including some in the Fortune 200, is currently being exposed on the web due to misconfigurations in ServiceNow applications. Aaron Costello, chief of SaaS security research at AppOmni Labs, has identified that more than 1,000 applications are affected, amounting to 45% of those tested since April 2023.
85% of the Fortune 500 use ServiceNow to manage IT services and processes. The primary issue arises from the way certain companies misconfigure ServiceNow Knowledge Bases (KBs), which are platforms designed for users to store, share, and manage content. These applications are made public, inadvertently allowing unrestricted access to sensitive organisational information.
Costello highlighted, "ServiceNow Knowledge Bases can contain information such as internal company documentation for staff which contains answers to common problems, IT support requests, high-level system information, data related to HR processes and more. In some cases, it has been found to include more sensitive information such as active credentials that can be used to access other company systems, detailed design documents describing proprietary software, and intricate mappings of the organisation's corporate network."
He added, "With access to this type of information, cybercriminals could launch attacks into other company systems. These attacks could be immediate in nature, such as stealing the credentials and using them to access database information in other company systems, or long term – gaining and maintaining access to those systems. They could also provide valuable intel which could lay the groundwork for future attacks."
The data exposed on the web includes names, phone numbers, internal system details, and active credentials to other live company systems. Costello emphasised the critical nature of this issue by stating, "This is critical for organisations that use ServiceNow to know about because it can lead to the exposure of sensitive information such as PII, internal system information, and active credentials." He stressed the importance of enterprises routinely checking and updating their security configurations to prevent unauthorised access and protect their data assets.
The research conducted by AppOmni has prompted some improvements in the security of ServiceNow. These include new security properties that restrict unauthenticated users' data access and the introduction of 'Security Attributes' to Access Control Lists (ACLs). However, these changes have not provided added protections to the Knowledge Base, which remains a prevalent source of data exposure.
Ben De Bont, Chief Information Security Officer at ServiceNow said, "ServiceNow is committed to fostering collaboration with the security community. We are committed to protecting our customers' data, and security researchers are important partners in our ongoing efforts to improve the security of our products." He thanked AppOmni and Costello for their research and efforts, noting their cooperation in delaying publication to allow time for evaluation and appropriate configuration by ServiceNow and its customers.
This issue largely stems from outdated configurations and misconfigured access controls in KBs. According to Costello, many companies may not fully understand KB access controls or inadvertently replicate poor configuration practices across multiple instances. "The current insecure state of most KBs comes down to several key points," he explained. These include organisations retaining insecure settings due to the age of the enterprise instances and the misuse or misunderstanding of User Criteria in access settings.
Costello advised that organisations should run regular diagnostics on KB access controls and activate Out-Of-Box Business Rules designed to prevent unauthorised access to mitigate these risks. Additionally, companies must maintain updated contact information with ServiceNow to stay informed about the latest security updates and recommendations.