ServiceNow Vulnerability Requires Immediate Attention
Recently discovered vulnerabilities in ServiceNow, a widely used IT service management platform, have exposed organizations to significant risk. The vulnerabilities affect various versions of the Now Platform, including the Washington D.C., Vancouver, and Utah releases. These vulnerabilities enable unauthenticated attackers to remotely execute malicious code on vulnerable ServiceNow instances. An additional vulnerability can be combined with these to provide full access to the ServiceNow database.
Exploiting these flaws, cybercriminals have already infiltrated over 105 ServiceNow databases, stealing email addresses and hashed passwords. Resecurity reported that attackers are targeting vulnerable ServiceNow instances in a two-phase attack. First, they inject a payload to test the system’s vulnerability, followed by a second payload to extract user data including credentials. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities catalog, issuing a directive to federal civilian executive branch agencies to apply patches by August 19, 2024 or discontinue using ServiceNow until remediation is complete.
Identified vulnerabilities
- Authentication Bypass CVE-2024-4879: This vulnerability allows attackers to bypass authentication mechanisms, granting them unauthorized access to the ServiceNow platform. Once inside, they can remotely execute malicious code, compromising the integrity of the systems.
- Arbitrary Data Access CVE-2024-5217: This vulnerability allows attackers to access and extract any data stored within the ServiceNow instance. This includes confidential information, customer data, and internal communications, posing a severe risk to business operations and data privacy.
- Privilege Escalation CVE-2024-5178: This flaw enables attackers to escalate their privileges within the ServiceNow environment. By exploiting this vulnerability, attackers can gain administrative access, making it possible to manipulate systems settings and access sensitive data.
Recommended Actions
To mitigate the risks associated with the ServiceNow vulnerabilities security experts recommend taking the following immediate steps:
- Prioritize installing the latest security patches released by ServiceNow to address the identified vulnerabilities.
- Implement stringent access controls, limiting access to ServiceNow instances to authorized personnel with the principle of least privilege.
- Isolate ServiceNow environments from the broader network to hinder lateral movement.
- Enforce multi-factor authentication (MFA) for all ServiceNow administrative accounts and consider extending it to other user groups.
- Implement robust monitoring of ServiceNow systems and networks for anomalous activities.
- Review and update the incident response plan to effectively handle potential security incidents.
By promptly implementing these recommendations, organizations can significantly reduce the risk of exploitation and protect sensitive data from unauthorized access.
How we help
ACA Aponix® can help your firm build your cybersecurity program to strengthen your line of defense against cyberattacks. Our services include:
- Aponix ProtectTM is a cybersecurity and technology risk solution that helps you build a comprehensive risk management program tailored to your business needs.
- ACA Signature combines cybersecurity with compliance advisory services, innovative technology and managed services for a scalable solution that can help you gain expert insight, guidance, and support as you navigate emerging challenges.
Reach out to your ACA consultant, or contact us to find out how ACA can help secure your firm against cyber threats and comply with regulatory expectations.