Over 1,000 ServiceNow instances have been found misconfigured and exposing sensitive corporate information to external users and potential threat actors. The exposed data includes personally identifiable information (PII), internal system details, user credentials, access tokens for live production systems, and other essential information depending on the Knowledge Base topic.
Aaron Costello, chief of SaaS security research at AppOmni, discovered the issue after a 2023 report highlighted ServiceNow’s updates aimed at improving Access Control Lists (ACLs). However, it appears that most ServiceNow Knowledge Bases (KBs) utilize the User Criteria permission system rather than ACLs, making the update less effective.
The exposed KB articles contain sensitive information about organizations, including PII and internal system details. This is a significant problem as these articles are not meant to be seen publicly. Malicious actors can brute-force KB article numbers using tools like Burp Suite, gaining access to vulnerable endpoints without authentication.
AppOmni suggests that SecureNow admins protect KB articles by setting the appropriate “User Criteria” (Can Read/Cannot Read), blocking all unauthorized users. If public access to Knowledge Bases isn’t explicitly needed, administrators should turn it off to prevent articles from being accessible on the internet.
The researchers also highlight specific security properties that can guard data from unauthorized access, including:
* glide.knowman.block_access_with_no_user_criteria (True): Automatically denies access to authenticated and unauthenticated users if no User Criteria are set for a KB article.
* glide.knowman.apply_article_read_criteria (True): Requires users to have explicit “Can Read” access to individual articles, even if they have “Can Contribute” access to the entire KB.
* glide.knowman.show_unpublished (False): Prevents users from seeing draft or unpublished articles, which may contain sensitive, unreviewed information.
It is recommended to activate ServiceNow’s pre-built out-of-the-box (OOB) rules that automatically add Guest Users to the “Cannot Read” list for newly created KBs, requiring admins to specifically give them access when needed.
Source: https://www.bleepingcomputer.com/news/security/over-1-000-servicenow-instances-found-leaking-corporate-kb-data/