ServiceNow is issuing a fix for a flaw that exposes data after a researcher published a method for unauthenticated attackers to steal an organization's sensitive files. Security researcher Aaron Costello highlighted apparent issues with the default configurations of ServiceNow's widgets, allowing for personal data to be exposed. Despite a code change earlier this year to improve safety, the default configuration of these widgets was to set their records public, meaning that if they're left unchanged, they will return the type of data an attacker specifies. Before quietly issuing a fix on October 20, ServiceNow told The Register that it was aware of the research describing "a potential misconfiguration issue." However, it didn't say it would make any changes, adding that it works regularly with customers to ensure security configurations are properly implemented for each unique organization. "We proactively work with customers on the ongoing safety of their security configurations, including Access Control Lists, to ensure they are properly structured and aligned to their intended purpose," a spokesperson said. "We make these protocols extensible so our customers can configure them based on their unique security needs - from companies with public portals providing broad access to information to enterprise-specific use cases where access is restricted to select users." Access Control Lists govern the access for resources within ServiceNow, like tables, but not widgets themselves. If an ACL doesn't exist for a given resource, the default implementation is to deny access, but if a resource has an ACL with each of the three checks left "Empty," access attempts resolve to true. In his research, Costello suggested that many of the ACLs in use in ServiceNow are blank - the three checks are left empty and therefore access is granted to potential attackers. His findings revealed that an attacker who wanted to capitalize on these misconfigurations could do so by crafting a script that targeted a ServiceNow instance and iterated over a series of known table and field names, continuously calling a widget to see if any data was returned. On March 3, 2023, ServiceNow made the first tweak to its resources that checked whether the public role was explicitly applied in the ACL. If it wasn't, access would be denied. "If 'public' is not defined as a role on the ACL, an unauthenticated user might still pass the condition or scripted parts and thus be granted access." "Even more likely is the ACL is entirely empty of a defined role, condition, or script; allowing an unauthenticated user access to the resource." He also suggested that by issuing an initial fix in March, ServiceNow demonstrated that it knew about the issue, but did little to contact customers alerting them to potential data exposure. There does exist a recently published, public-facing ServiceNow support page announcing the company was investigating the issue, but the customer communication that followed was limited to customer-only Knowledge Base articles. After the research started attracting attention last week, ServiceNow quietly released a second fix for the issue that set all blank ACLs to disallow public access by default. It announced in a non-public KB article, seen by The Register, that an update had been applied to all blank ACLs to add a script ensuring access was only granted if a user was logged in. While the company believes this should go a long way in mitigating any unauthorized access attempts, it recommended defining the role, condition, and script checks on all ACLs used in ServiceNow. For any table that requires public access, customers have been urged to consider reducing the number of rows the ACL grants public access to, which can be done by adding a script, as well as only applying the public role to the specific fields that require it. Widgets should also be reviewed for "Public" flags that aren't necessary, and if external access isn't required at all, IP access control should be applied to the ServiceNow instance to allow only trusted IP addresses.
This Cyber News was published on www.theregister.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000