ServiceNow is a cloud-based platform that provides enterprise service management (ESM) software. It is designed to help organizations manage digital workflows for enterprise operations.
ServiceNow offers a range of solutions, including IT Service Management (ITSM), IT Operations Management (ITOM), IT Business Management (ITBM), Customer Service Management (CSM), Human Resources Service Delivery (HRSD), and Application Development etc, with the aims to improve efficiency, reduce operational costs, and enhance user experiences by automating and optimizing business processes. ServiceNow is driven by a unified technology stack known as the Now Platform. All solutions, including IT, Operations, Customer Service, HR, Shared Services, Finance, and more, are built on this platform.
On July 10th, 2024, the official vendor disclosed three critical vulnerabilities that affect various versions of the Now Platform, including Washington D.C., Vancouver, and Utah releases. Following the security alert, multiple exploits and scanning scripts made their way to the public domain. By the end of July 2024 security vendors started observing exploitation attempts towards ServiceNow instances spanning multiple sectors, with a particular focus on the BFSI industry.
Two key observations were derived from the exploitation attempts observed:
- Attackers leveraged automated scanning scripts/tools to conduct reconnaissance of outdated ServiceNow instances.
- Targeting the vulnerable instances of ServiceNow by injecting tailored payloads to retrieve the contents of the databases.
The successful exploitation of the vulnerability allowed an attacker to fetch database details such as usernames and passwords, which could be leveraged by Threat Actors (TAs) for varied motives. Taking into cognizance the impact and nature of the vulnerability, Cyble Research Intelligence Labs (CRIL) actively monitored incidents emanating from this vulnerability over the underground and cybercrime forums and discovered the following:
Figure 1– Screenshot of ServiceNow Exploits, Proof of Concepts, and Victim Database being sold/distributed in Cybercrime Forums
Vulnerability Details
The CVE-2024-4879 and CVE-2024-5178 both fall under the critical severity category and allow an unauthenticated user to remotely execute code within the context of the Now Platform. CVE-2024-5178 falls under the category of a medium severity category, enabling an administrative user to gain unauthorized access to sensitive files on the web application server.
The table below provides details of the recently disclosed ServiceNow vulnerabilities.
| CVE | Vulnerability | Affected Platform | CVSS4.0 Score & Severity |
| CVE-2024-4879 | Jelly Template Injection | Vancouver and Washington, D.C Now Platform release | 9.3 – Critical |
| CVE-2024-5178 | Incomplete Input Validation | Vancouver, Washington, D.C, and Utah Now Platform release | 6.9 – Medium |
| CVE-2024-5217 | Incomplete Input Validation | Washington DC, Vancouver, and earlier Now Platform releases | 9.2 – Critical |
Patch Link provided by the vendor – Link
Impact
The vulnerabilities discussed (Table 1) can be chained together, resulting in Remote Code Execution (RCE) on the ServiceNow MID server, which allows an attacker with unauthorized access to sensitive data, leading to potential data breaches and disruption of operations within an organization. Victim organizations can suffer a major financial and reputational loss due to the successful exploitation of the ServiceNow vulnerabilities.
Internet Exposure of ServiceNow
During the investigation, the Cyble ODIN scanner observed over 16,000 internet-exposed instances of ServiceNow, with the majority of instances from the United States region, as shown in the figure below.
Figure 2 – Graph representing internet exposure of ServiceNow (source: ODIN)
Conclusion
The ServiceNow vulnerability (CVE-2024-4879) poses a significant threat to organizations relying on outdated firmware versions. The vulnerability’s threat is significantly heightened by the extensive online exposure of ServiceNow instances and the distribution of exploit scripts on cybercrime forums. Therefore, it is essential for organizations to stay vigilant and promptly apply security patches to address this issue.
Recommendations
- Implement the latest patch released by the official vendor: Regularly update all software and hardware systems with the latest patches from official vendors to mitigate vulnerabilities and protect against exploits. Establish a routine schedule for patch application and ensure critical patches are applied immediately.
- Implement a robust patch management process: Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
- Implement proper network segmentation to avoid exposing critical assets over the Internet: Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
- Visibility into an organization’s external and internal assets: Maintain an up-to-date inventory of all internal and external assets, including hardware, software, and network components. Use asset management tools and continuous monitoring to ensure comprehensive visibility and control over your IT environment.
Reference:
https://www.resecurity.com/blog/article/cve-2024-4879-and-cve-2024-5217-servicenow-rce-exploitation-in-a-global-reconnaissance-campaign
https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data
