Vulnerability
Over 1,000 ServiceNow instances are misconfigured, leading to the unintentional ...
Over 1,000 ServiceNow Instances Found Leaking Corporate Knowledge Base Data: A Comprehensive Analysis
Introduction
A recent report has revealed that over 1,000 ServiceNow instances are misconfigured, leading to the unintentional exposure of sensitive corporate Knowledge Base (KB) data. These instances contain valuable organizational information, ranging from Personally Identifiable Information (PII) to internal credentials and access tokens, which could be exploited by malicious actors. Despite ServiceNow’s efforts to address these issues in their 2023 update, the misconfiguration of access controls remains a prevalent risk for organizations relying on the platform for managing their digital workflows.
### What is ServiceNow?
ServiceNow is a cloud-based platform designed to facilitate various digital workflows, integrating IT service management, operations, HR tasks, customer service, and security tools. One of its essential features is the Knowledge Base (KB), which serves as a repository for internal guides, procedures, and other articles meant to streamline operational efficiency. KBs provide critical resources for authorized users but can become a significant security liability if not properly configured.
### Misconfigured KBs and Data Exposure
Despite a 2023 ServiceNow security update aimed at preventing unauthorized access through new Access Control Lists (ACLs), many organizations failed to secure their KBs appropriately. The root cause lies in the User Criteria permission system, which many KBs rely on rather than ACLs, leading to a vulnerability that the 2023 update could not resolve.
A major concern is that public-facing widgets within the platform, used by organizations for customer-facing tasks, did not receive the ACL security patch. Consequently, unauthorized individuals can access KB articles, which are indexed incrementally, by brute-forcing Knowledge Base article numbers using basic tools like Burp Suite.
### Scope of the Exposure
According to Aaron Costello, Chief of SaaS Security Research at AppOmni, these exposed KB articles include sensitive organizational information such as:
Personally Identifiable Information (PII)
Internal system configurations
User credentials and tokens
Access details for live production systems
The severity of the issue varies across instances, but the presence of this kind of information represents a serious risk for the affected organizations. Knowledge Base articles are typically structured with predictable ID formats (e.g., KB0000001), making it easy for attackers to systematically brute-force these identifiers and potentially retrieve a significant amount of sensitive data.
### **The Proof-of-Concept Attack**
To demonstrate the severity of the misconfiguration, AppOmni developed a proof-of-concept (PoC) attack that showed how an unauthenticated external user could query public-facing widgets on a ServiceNow instance and retrieve KB article data by brute-forcing incremental article IDs. This vulnerability exploits the fact that ServiceNow instances often do not have stringent access controls, particularly when public widgets are involved.
The attack begins by intercepting a token used for querying the ServiceNow instance, and then brute-forcing the article IDs until the attacker retrieves KB articles that were inadvertently exposed due to misconfigured permissions.
Mitigating the Risk: Best Practices for Securing ServiceNow KBs
To prevent unauthorized access to KB articles, organizations using ServiceNow are urged to implement specific security measures. AppOmni recommends the following actions to protect KB data:
1. User Criteria Configuration
ServiceNow administrators should ensure that the User Criteria is correctly set to restrict access based on defined roles. Misconfigurations, such as leaving criteria like "Any User" or _"Guest User"_ enabled, make KB articles vulnerable to external access.
2. Turn Off Public Access
If public access to KB articles is unnecessary, it is advisable to turn off this feature entirely. This will eliminate the risk of exposing sensitive data on the internet.
3. Implement Security Controls
Organizations should activate the following ServiceNow security properties to protect KBs:
glide.knowman.block_access_with_no_user_criteria (True): This ensures that no user, whether authenticated or unauthenticated, can access KB articles if User Criteria is not explicitly defined.
glide.knowman.apply_article_read_criteria (True): This property enforces that even users with _"Can Contribute"_ permissions cannot read KB articles unless they are explicitly given "Can Read" access.
glide.knowman.show_unpublished (False): Disables access to draft or unpublished KB articles, which often contain unreviewed, sensitive information.
glide.knowman.section.view_roles.draft (Admin): Ensures that only users with administrative roles can access KB articles in a draft state.
glide.knowman.section.view_roles.review (Admin): Restricts access to KB articles under review to specific administrative roles.
4. Pre-built Out-of-the-Box (OOB) Rules
ServiceNow offers pre-configured OOB rules that automatically add Guest Users to the "Cannot Read" list for newly created KB articles. Enabling these rules will ensure that public access to KBs is restricted by default.
### ServiceNow's Response
In response to this issue, ServiceNow has acknowledged the potential for KB misconfigurations and has initiated steps to mitigate the risk. As of September 4, 2024, ServiceNow began proactively assisting customers with configuring their KBs to better align with security best practices. A ServiceNow spokesperson emphasized the company’s commitment to ongoing customer support and extensible security protocols to ensure KBs are configured based on the specific needs of each organization.
The widespread misconfiguration of ServiceNow instances has led to the exposure of sensitive Knowledge Base data, posing a significant security risk to enterprises. While ServiceNow has made efforts to improve security through ACL updates and proactive customer support, the onus remains on organizations to ensure that their KBs are properly secured. By implementing strict access controls, disabling unnecessary public access, and utilizing ServiceNow’s built-in security features, enterprises can minimize the risk of data exposure and safeguard their critical information.
Organizations using ServiceNow should take immediate steps to audit their Knowledge Base configurations, ensure User Criteria is set correctly, and utilize all available security properties to prevent unauthorized access. Failure to do so could leave valuable corporate information vulnerable to exploitation by malicious actors.