The IT Nerd

A company named Assetnote has published research on a series of vulnerabilities in ServiceNow which when chained together can create huge problems for those who rely on ServiceNow:

Through the course of three to four weeks, we were able to find a chain of vulnerabilities that allows full database access and full access to any MID servers configured.

The following CVEs were assigned for these issues:
‍
CVE-2024-4879
CVE-2024-5178
CVE-2024-5217

Tom Siu, CISO, Inversion6 had this comment on this research:

The input validation flaw means that regular data entry fields, such as a user login window where a user would type a userid, does not check whether the data inputs are as expected. This means an attack, such as the well known “SQL Injection” attack could be used to gain access to the system’s backend data. The OWASP Top 10 Web vulnerabilities list this as A03:2021 – Injection, where 03 means it is the third most prevalent risk.

Since many customers of ServiceNow include IT Help Desk functionality, a successful attack could reveal critical internal information about users (email, phone numbers), IT issues, and operational challenges the organization manages, permitting well-crafted social engineering attacks.  I could see an attack spoofing a Help Desk support call.

Of major importance for cybersecurity teams – some organizations use ServiceNow to track and manage security events and incidents. The disclosure of this highly sensitive operational security information would be disastrous to IT and cybersecurity teams. Cybersecurity teams should use this risk impact to amplify priority for patch implementation of ServiceNow utilities.

ServiceNow has released mitigations to this chain of vulnerabilities. Thus if you haven’t applied them, now would be a good time to do so. I’d also read the research on this as this clearly is a non trivial chain of vulnerabilities