Trending

ee-track">
Link copied!

From Weaponization to Victimization: Fallout from the ServiceNow Vulnerability

Cyble observes how Dark Web forums reveal ServiceNow users falling victim to a Remote Code Execution vulnerability, which exposes sensitive data and escalates risks across sectors, particularly for Financial Services.

August 6, 2024 · 4 min read
From Weaponization to Victimization: Fallout from the ServiceNow Vulnerability

ServiceNow is a cloud-based platform that provides enterprise service management (ESM) software. It is designed to help organizations manage digital workflows for enterprise operations.  

ServiceNow offers a range of solutions, including IT Service Management (ITSM), IT Operations Management (ITOM), IT Business Management (ITBM), Customer Service Management (CSM), Human Resources Service Delivery (HRSD), and Application Development etc, with the aims to improve efficiency, reduce operational costs, and enhance user experiences by automating and optimizing business processes. ServiceNow is driven by a unified technology stack known as the Now Platform. All solutions, including IT, Operations, Customer Service, HR, Shared Services, Finance, and more, are built on this platform. 

On July 10th, 2024, the official vendor disclosed three critical vulnerabilities that affect various versions of the Now Platform, including Washington D.C., Vancouver, and Utah releases.  Following the security alert, multiple exploits and scanning scripts made their way to the public domain. By the end of July 2024 security vendors started observing exploitation attempts towards ServiceNow instances spanning multiple sectors, with a particular focus on the BFSI industry

Two key observations were derived from the exploitation attempts observed: 

  1. Attackers leveraged automated scanning scripts/tools to conduct reconnaissance of outdated ServiceNow instances. 
  1. Targeting the vulnerable instances of ServiceNow by injecting tailored payloads to retrieve the contents of the databases. 

The successful exploitation of the vulnerability allowed an attacker to fetch database details such as usernames and passwords, which could be leveraged by Threat Actors (TAs) for varied motives. Taking into cognizance the impact and nature of the vulnerability, Cyble Research Intelligence Labs (CRIL) actively monitored incidents emanating from this vulnerability over the underground and cybercrime forums and discovered the following: 

Screenshot of ServiceNow Exploits, Proof of Concepts, and Victim Database being sold/distributed in Cybercrime Forums 

Figure 1– Screenshot of ServiceNow Exploits, Proof of Concepts, and Victim Database being sold/distributed in Cybercrime Forums 

report-ad-banner

Vulnerability Details 

The CVE-2024-4879 and CVE-2024-5178 both fall under the critical severity category and allow an unauthenticated user to remotely execute code within the context of the Now Platform. CVE-2024-5178 falls under the category of a medium severity category, enabling an administrative user to gain unauthorized access to sensitive files on the web application server. 

The table below provides details of the recently disclosed ServiceNow vulnerabilities.  

CVE Vulnerability Affected Platform CVSS4.0 Score & Severity 
CVE-2024-4879 Jelly Template Injection Vancouver and Washington, D.C Now Platform release 9.3 – Critical 
CVE-2024-5178 Incomplete Input Validation Vancouver, Washington, D.C, and Utah Now Platform release 6.9 – Medium 
CVE-2024-5217 Incomplete Input Validation Washington DC, Vancouver, and earlier Now Platform releases 9.2 – Critical 

Patch Link provided by the vendor – Link 

Impact 

The vulnerabilities discussed (Table 1) can be chained together, resulting in Remote Code Execution (RCE) on the ServiceNow MID server, which allows an attacker with unauthorized access to sensitive data, leading to potential data breaches and disruption of operations within an organization. Victim organizations can suffer a major financial and reputational loss due to the successful exploitation of the ServiceNow vulnerabilities. 

Internet Exposure of ServiceNow  

During the investigation, the Cyble ODIN scanner observed over 16,000 internet-exposed instances of ServiceNow, with the majority of instances from the United States region, as shown in the figure below. 

Graph representing internet exposure of ServiceNow

Figure 2 – Graph representing internet exposure of ServiceNow (source: ODIN) 

Conclusion 

The ServiceNow vulnerability (CVE-2024-4879) poses a significant threat to organizations relying on outdated firmware versions. The vulnerability’s threat is significantly heightened by the extensive online exposure of ServiceNow instances and the distribution of exploit scripts on cybercrime forums. Therefore, it is essential for organizations to stay vigilant and promptly apply security patches to address this issue. 

Recommendations 

  • Implement the latest patch released by the official vendor: Regularly update all software and hardware systems with the latest patches from official vendors to mitigate vulnerabilities and protect against exploits. Establish a routine schedule for patch application and ensure critical patches are applied immediately. 
  • Implement a robust patch management process: Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency. 
  • Implement proper network segmentation to avoid exposing critical assets over the Internet: Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats. 
  • Visibility into an organization’s external and internal assets: Maintain an up-to-date inventory of all internal and external assets, including hardware, software, and network components. Use asset management tools and continuous monitoring to ensure comprehensive visibility and control over your IT environment. 

Reference

https://www.resecurity.com/blog/article/cve-2024-4879-and-cve-2024-5217-servicenow-rce-exploitation-in-a-global-reconnaissance-campaign
https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data

AI Threat Intelligence

Stop Executive Threats
Before They Strike

Monitor dark web chatter, detect lookalike domains, and protect your C-suite from targeted impersonation — in real time, across 50+ countries.

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams