1,000+ ServiceNow Instances Leaking Corporate Data Via Knowledge Bases


A recent study has revealed that over 1,000 enterprise ServiceNow instances have unintentionally exposed sensitive corporate data through their Knowledge Bases (KBs), posing significant security risks to affected organizations.

AppOmni’s research over the past year found that nearly 45% of the total enterprise instances tested had misconfigured KB access controls, leading to the exposure of sensitive data such as Personal Identifiable Information (PII), internal system details, and active credentials or tokens to live production systems.

EHA

Organizations with multiple ServiceNow instances consistently misconfigured KB access controls across each instance, suggesting a systematic misunderstanding or accidental replication of poor controls.

The root cause of this vulnerability lies in the complex nature of User Criteria, which are used to secure KBs instead of Access Control Lists (ACLs).

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Unlike ACLs, which were recently enhanced with a ‘UserIsAuthenticated’ Security Attribute, User Criteria do not benefit from this added layer of security.

“The root cause (misconfigured ACLs), was mitigated through the default addition of a security attribute to out-of-the-box (OOB) ACLs, while the avenues for data exposure (public widgets) were mitigated through the addition of system properties which restricted what data that the widgets could query,” Aaron Costello, of AppOmni said.

Furthermore, many administrators are unaware that certain User Criteria, such as ‘Any User’ and ‘Any user for kb’, grant access to unauthenticated users, leading to unintended data exposure.

The study also highlighted that many enterprise instances created before the Orlando release still retain the insecure ‘allow public access by default’ value for KBs.

This, combined with the complicated relationship between multiple system properties and how they affect access, has created a perfect storm for data breaches.

To demonstrate the ease with which an unauthenticated malicious actor could access an insecure KB article, the researcher provided a proof of concept using an HTTP proxy like Burp Suite.

1,000+ ServiceNow Instances Leaking Corporate Data Via Knowledge Bases
Response Intercepted Via Burp

This method allows for the brute-forcing of article IDs, making it possible to identify and access exposed articles quickly.

In light of these findings, organizations are urged to take immediate action to secure their KBs. This includes being aware of relevant security properties, activating out-of-the-box Business Rules to prevent unauthenticated access by default, and routinely running diagnostics on KB access controls using ServiceNow’s built-in tools.

By addressing these vulnerabilities, organizations can significantly reduce the risk of data breaches and protect their critical assets.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial



Source link