Customers of the cloud-based platform may inadvertently expose sensitive information, including names, phone numbers, internal system details, and active login credentials, potentially compromising confidentiality.
Mismangement of Information Bases within ServiceNow’s self-service platforms, where customers can create, store, and share content like articles and guides, may inadvertently grant unauthorized individuals access to the system. Organizations frequently utilize information bases as secure repositories for sensitive internal data, including tutorials on resetting company passwords, responding to cyberattacks, and human resources process knowledge, among other essential details.
According to a report by SaaS security platform provider AppOmni, approximately 60% of vulnerabilities stem from outdated versions of information bases that are configured to allow public access by default. Other organizations employ “Person Standards,” a set of guidelines outlining specific scenarios under which customers may gain access or contribute to information bases, potentially inadvertently allowing unauthenticated users entry.
ServiceNow is used by an impressive 85% of Fortune 500 companies, yet still, more than a thousand business processes remain disorganized. Several organizations grappling with multiple ServiceNow instances were found to have persistently misconfigured Information Base entry controls, either due to cloning issues or a fundamental misunderstanding of their functionality.
According to Aaron Costello, head of SaaS security analysis at AppOmni, “This underscores the urgent need for companies to regularly inspect and update their security settings to prevent unauthorized access and safeguard intellectual property.”
“Crucial for sustained enterprise SaaS environment safety is grasping key mitigating strategies that can effectively neutralize potential hazards.”
A vulnerability in ServiceNow’s data exposure has been discovered once again, this time due to customer misconfigurations. In 2020, another researcher discovered that Information Base articles were previously publicly accessible through a secure user interface (UI) webpage, which has since been made inaccessible to ensure data security.
According to Ben De Bont, Chief Information Safety Officer at ServiceNow, the company is committed to building a collaborative relationship with the cybersecurity community. Dedicated to safeguarding our customers’ expertise, we forge unbreakable bonds with safety researchers, collaborating tirelessly to fortify the integrity of our products.
Information Base misconfigurations typically include incorrect or incomplete settings for data processing and storage, such as insufficiently sized logs, poorly designed indexing schemes, and inadequate data encryption. This can lead to inefficient query performance, compromised data security, and difficulties in retrieving required information. Other common issues include inconsistent naming conventions, poorly defined metadata, and ineffective use of data compression techniques.
Companies were inadvertently leaving their ServiceNow Information Bases exposed to potential compromise in three specific situations.
- In older versions of ServiceNow, the default settings for the Information Base allow for public access when Person Standards are not configured.
- If the “Any Person” and “Any Consumer for KB” person standards are employed as whitelists. While each of these grants entry to unauthenticated customers, which directors may not necessarily realize?
- If directors fail to configure denylists, allowing external customers to circumvent entry controls.
Attackers may exploit vulnerabilities in databases by using SQL injection attacks, which involve injecting malicious code into SQL statements that interact with the database. This can allow attackers to access sensitive information, manipulate data, or even take control of the database server.
To avoid these types of attacks, it is essential to sanitize user input and ensure that only authorized users have access to the database.
Attackers can exploit vulnerabilities in public-facing widgets, like the “KB Article Webpage” feature, which grants access to misconfigured information databases.
An attacker can automate requests to identify and exploit vulnerabilities in entry-level articles using tools like Burp Suite. The KB Article Web page widget offers straightforward implementation with its consistent format for article IDs, employing a predictable pattern of “KBXXXXXXX,” where X denotes a positive integer.
Burp Suite’s Intruder feature enables rapid iteration over such integers, identifying potential vulnerabilities that may be inadvertently exposed. Here are several unsecured articles that could then return the physical textual content, comprising delicate knowledge directly.
Implementing robust access controls and authentication mechanisms can significantly enhance security of information bases against unauthorized entry. This includes utilizing multi-factor authentication, implementing strict password policies, and ensuring that all users have unique and complex login credentials.
Moreover, regular software updates and patching are crucial to prevent exploitation of known vulnerabilities. Additionally, employing intrusion detection systems and firewalls can help detect and block malicious attempts to access the information bases.
It is also essential to establish a comprehensive auditing and logging mechanism to track all system activities and identify potential security breaches. Furthermore, conducting regular vulnerability assessments and penetration testing can help identify weaknesses and allow for timely remediation.
To further strengthen security, consider implementing encryption protocols to protect sensitive data at rest and in transit. This includes utilizing secure socket layer (SSL) or transport layer security (TLS) for network communications and encrypting stored data using algorithms such as Advanced Encryption Standard (AES).
The following diagnostic tests should be performed to verify that Information Base (IB) entry controls are functioning correctly: Is the IB configured with valid and current entries? Are there any duplicate or outdated entries in the IB that could impact control effectiveness? Are IB entries accurately reflecting real-world conditions, or have they become desensitized over time?
ServiceNow’s People Standards diagnostic tool enables administrators to identify both authenticated and unauthenticated users who possess the authority to access Information Bases and individual records.
To access public information bases, visit /get_public_knowledge_bases.do. Additionally, utilize the comprehensive diagnostic tool located at /km_diagnostics.do to identify the initial point of engagement for both public and personal customers with specific articles.
Ensure that information bases are inaccessible by default unless authenticated.
The “sys_id 6c8ec5147711111016f35c207b5a9969” enterprise rule, designed to allocate the Visitor Person standard to entities classified as “Can’t Learn” or “Can’t Contribute” in Information Bases, must be enabled for these datasets.
