ServiceNow quietly fixes 8-year-old data exposure flaw The Register

ServiceNow is issuing a fix for a flaw that exposes data after a researcher published a method for unauthenticated attackers to steal an organization's sensitive files. Security researcher Aaron Costello highlighted apparent issues with the default configurations of ServiceNow's widgets, allowing for personal data to be exposed. Despite a code change earlier this year to improve safety, the default configuration of these widgets was to set their records public, meaning that if they're left unchanged, they will return the type of data an attacker specifies. Before quietly issuing a fix on October 20, ServiceNow told The Register that it was aware of the research describing "a potential misconfiguration issue." However, it didn't say it would make any changes, adding that it works regularly with customers to ensure security configurations are properly implemented for each unique organization. "We proactively work with customers on the ongoing safety of their security configurations, including Access Control Lists, to ensure they are properly structured and aligned to their intended purpose," a spokesperson said. "We make these protocols extensible so our customers can configure them based on their unique security needs - from companies with public portals providing broad access to information to enterprise-specific use cases where access is restricted to select users." Access Control Lists govern the access for resources within ServiceNow, like tables, but not widgets themselves. If an ACL doesn't exist for a given resource, the default implementation is to deny access, but if a resource has an ACL with each of the three checks left "Empty," access attempts resolve to true. In his research, Costello suggested that many of the ACLs in use in ServiceNow are blank - the three checks are left empty and therefore access is granted to potential attackers. His findings revealed that an attacker who wanted to capitalize on these misconfigurations could do so by crafting a script that targeted a ServiceNow instance and iterated over a series of known table and field names, continuously calling a widget to see if any data was returned. On March 3, 2023, ServiceNow made the first tweak to its resources that checked whether the public role was explicitly applied in the ACL. If it wasn't, access would be denied. "If 'public' is not defined as a role on the ACL, an unauthenticated user might still pass the condition or scripted parts and thus be granted access." "Even more likely is the ACL is entirely empty of a defined role, condition, or script; allowing an unauthenticated user access to the resource." He also suggested that by issuing an initial fix in March, ServiceNow demonstrated that it knew about the issue, but did little to contact customers alerting them to potential data exposure. There does exist a recently published, public-facing ServiceNow support page announcing the company was investigating the issue, but the customer communication that followed was limited to customer-only Knowledge Base articles. After the research started attracting attention last week, ServiceNow quietly released a second fix for the issue that set all blank ACLs to disallow public access by default. It announced in a non-public KB article, seen by The Register, that an update had been applied to all blank ACLs to add a script ensuring access was only granted if a user was logged in. While the company believes this should go a long way in mitigating any unauthorized access attempts, it recommended defining the role, condition, and script checks on all ACLs used in ServiceNow. For any table that requires public access, customers have been urged to consider reducing the number of rows the ACL grants public access to, which can be done by adding a script, as well as only applying the public role to the specific fields that require it. Widgets should also be reviewed for "Public" flags that aren't necessary, and if external access isn't required at all, IP access control should be applied to the ServiceNow instance to allow only trusted IP addresses.

This Cyber News was published on www.theregister.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000


Cyber News related to ServiceNow quietly fixes 8-year-old data exposure flaw The Register

ServiceNow quietly fixes 8-year-old data exposure flaw The Register - ServiceNow is issuing a fix for a flaw that exposes data after a researcher published a method for unauthenticated attackers to steal an organization's sensitive files. Security researcher Aaron Costello highlighted apparent issues with the default ...
1 year ago Theregister.com
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
2 months ago Aws.amazon.com
ServiceNow Enhances Open Source Security With Snyk Integration - As open source software is increasingly used in application development, ServiceNow is taking steps to enhance the security of open source applications by integrating the Snyk platform into its IT Service Management system. This integration will ...
1 year ago Csoonline.com
Bishop Fox Announces Cosmos Integration With ServiceNow - PHOENIX, AZ – September 26, 2024 – Bishop Fox, the leading authority in offensive security, today announced Cosmos for ServiceNow, developed in partnership with ServiceNow to enable customers to effortlessly sync validated exposures from the ...
2 months ago Darkreading.com
How Servicenow Detects Open Source Security Vulnerabilities - Servicenow, a digital workflow company, recently announced their integration with Synk, an open source security platform, to detect security vulnerabilities in open source software. This integration will enable Servicenow customers to detect and ...
1 year ago Csoonline.com
CVE-2013-0135 - Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) ...
7 years ago
Penetration Testing for Sensitive Data Exposure in Enterprise Networks: Everything You Need to Know! - The amount of data enterprises store is much bigger than SMBs. A lot of this data includes sensitive information of customers and clients such as bank details, social security numbers, emails, contact numbers, etc. For those new to data security, ...
11 months ago Securityboulevard.com
CVE-2017-17713 - Trape before 2017-11-05 has SQL injection via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp ...
6 years ago
CVE-2017-17714 - Trape before 2017-11-05 has XSS via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp parameter, ...
6 years ago
CVE-2023-52780 - In the Linux kernel, the following vulnerability has been resolved: net: mvneta: fix calls to page_pool_get_stats Calling page_pool_get_stats in the mvneta driver without checks leads to kernel crashes. First the page pool is only available if the bm ...
6 months ago Tenable.com
CVE-2024-47716 - In the Linux kernel, the following vulnerability has been resolved: ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros Floating point instructions in userspace can crash some arm kernels built with clang/LLD 17.0.6: BUG: unsupported FP ...
1 month ago Tenable.com
Continuous Threat Exposure Management - This shift towards consolidation paves the way for a powerful new approach: Continuous Threat Exposure Management. Continuous Threat Exposure Management, or CTEM is a proactive security methodology that employs ongoing monitoring, evaluation, and ...
6 months ago Securityboulevard.com
Verve Integration with ServiceNow - Verve's Service Graph Connector for ServiceNow provides customers integrated visibility and actionability across IT and OT assets. Verve's unique endpoint management architecture extends ServiceNow's capabilities into the OT environment. Verve's ...
1 year ago Verveindustrial.com
DSPM deep dive: debunking data security myths The Register - Partner Content There are plenty of technology acronyms in the alphabet soup of the cybersecurity industry, but DSPM is the latest one leading the charge; its recent buzz has brought scrutiny to various security concepts that have cluttered the ...
1 year ago Go.theregister.com
New Microsoft Purview features use AI to help secure and govern all your data - More than 90% of organizations use multiple cloud infrastructures, platforms, and services to run their business, adding complexity to securing all data.1Microsoft Purview can help you secure and govern your entire data estate in this complex and ...
11 months ago Microsoft.com
10 of the biggest zero-day attacks of 2023 - Here are 10 of the biggest zero-day attacks of 2023 in chronological order. Zero-day attacks started strong in 2023 with CVE-2023-0669, a pre-authentication command injection vulnerability in Fortra's GoAnywhere managed file transfer product. ...
11 months ago Techtarget.com
Investigation of Possible Causes of ESXiArgs Ransomware Attacks Suggests VMware is Not at Fault - Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has denied allegations that two-year-old security flaws have been used in the current ESXiArgs ransomware attacks. Over the weekend, reports surfaced about cybercriminals ...
1 year ago Hackread.com
Critical Apache Log4j2 flaw still threatens global finance - Critical Apache Log4j2 flaw still threatens global finance. CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. Russia-linked APT28 used post-compromise ...
6 months ago Securityaffairs.com
Critical unauthenticated RCE flaw in OpenSSH server - MUST READ. Critical unauthenticated remote code execution flaw in OpenSSH server. Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. CISA adds Oracle WebLogic Server flaw to its Known Exploited Vulnerabilities ...
5 months ago Securityaffairs.com
Tech Security Year in Review - In this Tech Security Year in Review for 2023, let's look into the top data breaches of the past year. Each factor contributes to the growing threatscape, demanding a proactive and adaptable cybersecurity approach to safeguard your organization ...
11 months ago Securityboulevard.com
Patch Now: Attackers Pummel Critical, Easy-to-Exploit OwnCloud Flaw - Hackers are actively exploiting a critical flaw in the open source ownCloud platform that allows access to access admin passwords, mail server credentials, and license keys, exposing their enterprise to data breaches or other types of malicious ...
1 year ago Darkreading.com
Aim for a modern data security approach - Risk, compliance, governance, and security professionals are finally realizing the importance of subjecting sensitive workloads to robust data governance and protection the moment the data begins traversing the data pipeline. Why current data ...
11 months ago Helpnetsecurity.com
Oracle’s First Security Update for 2023 Includes 327 New Patches - Oracle has released its first security update of 2023, delivering 327 new security fixes and patching a range of critical vulnerabilities. This update covers products spanning across Oracle’s Cloud portfolio, Fusion Middleware, Hyperion, E-Business ...
1 year ago Securityweek.com
Building a Sustainable Data Ecosystem - Finally, I outline future research and policy refinement directions, advocating for a collaborative and responsible approach to building a sustainable data ecosystem in generative AI. In recent years, generative AI has emerged as a transformative ...
8 months ago Feeds.dzone.com
Dark Web Hitman Paid with BTC to Murder Teen Victim - The 31-year-old man paid $20,000 to a supposed murder-for-hire website on the dark web, which turned out to be a scam. A resident of Haddonfield, New Jersey, John Michael Musbach pleaded guilty before U.S. District Judge Joseph H. Rodriguez for ...
1 year ago Hackread.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)