A security researcher recently warned that the popular ServiceNow platform suffers from a data exposure issue that could potentially affect a huge swath of customers. The misconfiguration allegedly affects a key function of the platform and could allow data extraction by unauthenticated users. Subsequently, Cybersixgill detected a ServiceNow misconfiguration scanner on GitHub and debate on a popular clear web forum about the severity of the issue.
THE HEADLINE
On October 14, 2023, a security researcher published a report about a data exposure issue (“built-in capability”) affecting the ServiceNow[1] cloud-based business platform.[2] The issue affects a key function called Simple List[3] and could apparently allow data extraction by unauthenticated users. ServiceNow is a widely used platform and the researcher who discovered the issue warned that customer data may have been compromised for several years.
As of October 19, 2023, ServiceNow recognized a “misconfiguration issue,” but neither denied nor confirmed the alleged threat posed by the flaw. The researcher who discovered the issue cautioned against referring to it as a “vulnerability” or “zero-day,” since the underlying component is open-source. To that end, the researcher compared the ServiceNow issue to a Salesforce data exposure issue he previously documented, referring to both as out-of-the-box (OOB) functionalities that exist by default.
The researcher ultimately warned that based on his observations similar vectors exist across other software-as-a-service[4] (SaaS) applications. These vectors, combined with pervasive yet incorrect assumptions about SaaS security in general, led the researcher to caution that public access to data is a widespread problem.
According to the report about the Simple List issue, thousands of organizations are impacted. Indeed, an open source (OSINT) site quoted the researcher as saying around 70% of total instances are affected. The type of data that has been exposed allegedly includes internal documents, names, and email addresses. Ultimately, the data could be abused in phishing attacks, social engineering campaigns, and other malicious activities.
The vulnerability has apparently existed since the introduction of Simple List in 2015. The researcher who discovered it said there was no evidence of exploitation in the wild, but cautioned that his findings did not conclusively establish that the flaw has not been leveraged by threat actors. A number of mitigation strategies were suggested, including internet protocol restrictions for inbound traffic, disabling public widgets, and utilizing a plugin to fortify access control lists.
DIVING DEEPER
The Cybersixgill Investigative Portal collected a repository containing a misconfiguration scanner developed in response to the October 14, 2023 report about ServiceNow Simple List data exposure. This scanner was developed by researchers to identify and detect the misconfiguration in ServiceNow so that it can be remedied.
Despite the very clear caveat in the repository that the scanner is intended for educational and ethical testing purposes only (and the disclaimer that the authors are not responsible for any misuse or damage caused by the tool), threat actors could potentially use it for unauthorized access, data breaches, or other malicious activities.
Furthermore, the scanner in the October 15, 2023 post below (Figure 1) appeared just one day after the initial report about the ServiceNow issue was published. This suggests that threat actors may be able to develop malicious tools to exploit the issue in a narrow time frame as well. In light of the sheer number of allegedly exposed instances, this could represent a significant threat for ServiceNow customers.
Figure 1: A misconfiguration scanner for ServiceNow
In addition to the scanner above, Cybersixgill also collected a debate on a popular clear web forum related to the severity of the ServiceNow data exposure issue, which was posted in a section devoted to network security. One commenter dismissed the issue as “smoke and mirrors,” claiming that any potentially exposed data does not qualify as sensitive (i.e., personally identifiable information, or PII). Instead, this commenter claimed that only user names or employees’ names could be exposed.
In response, a commenter who self-identified as a “bug bounty hunter” disagreed, stating that they had scanned for the issue for two days and found exposed internal knowledge bases, leaked emails for employees, and “leaked incident details loaded with internal security details and chatter.” The commenter added that they also discovered PII, concluding that most organizations that use ServiceNow are affected.
Figure 2: A discussion about the ServiceNow data exposure issue
TAKEAWAYS
While the severity of the ServiceNow data exposure issue is currently being debated, the underground may seize on the misconfiguration in the near future in attempts to exploit it in the wild. Historically, threat actors have jumped on similar issues, attempting to monetize them in various ways. Indeed, it is highly anticipated that cybercriminals will try to exploit the ServiceNow data exposure issue. Therefore, all organizations must prepare for such scenarios and bolster their systems’ security by following ServiceNow’s recommendations.
[1] ServiceNow is a cloud-based platform for IT service management (ITSM) and business process automation (BPA), designed to streamline workflows and automate tasks.
[2] https://www.enumerated.ie/servicenow-data-exposure
[3] The Simple List function returns record data when users provide tables and fields as input.
[4] Software-as-a-service (SaaS) is a popular model for licensing business platforms and other essential platforms.