Security researchers at Assetnote have uncovered a chain of vulnerabilities in ServiceNow, a widely used platform for business transformation and automation.
Assetnote reveals how these flaws could potentially allow unauthorized access to sensitive data and command execution on connected servers.
ServiceNow, known for its cloud-based instances that handle everything from HR management to automation workflows, has become an integral part of many companies' IT infrastructure. The platform's widespread adoption and the sensitive nature of the data it often handles make it an attractive target for potential attackers.
The research team at Assetnote identified three distinct vulnerabilities, now assigned CVE numbers CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217. When chained together, these flaws could allow an attacker to gain full database access and control over any configured MID (Management, Instrumentation, and Discovery) servers.
The first vulnerability (CVE-2024-4879) exploits ServiceNow's routing mechanism and its use of Apache Jelly for UI templating. Researchers found that by manipulating the 'jvar_page_title' parameter in the URL, they could inject malicious XML content into the page title. This injection was possible due to an oversight in the HTML sanitizer, which allowed the use of the 'style' tag without proper restrictions.
Building on this initial foothold, the team discovered a way to bypass several security mitigations implemented by ServiceNow. These included escaping certain characters and restricting namespace bindings. By using single quotes instead of double quotes in the XML namespace declaration, the researchers were able to execute arbitrary JavaScript code on the platform.
The second vulnerability (CVE-2024-5178) focused on accessing sensitive files on the ServiceNow instance. The researchers found a flaw in the 'SecurelyAccess' class, which is designed to provide secure read access to certain files. By exploiting a path traversal vulnerability in the file path cleaning process, they were able to bypass blacklist restrictions and access critical configuration files, including database credentials.
The third and final vulnerability (CVE-2024-5217) in the chain allowed for command execution on MID servers. MID servers act as proxy servers within a company's internal network, facilitating communication between the cloud-based ServiceNow instance and internal systems. By leveraging the 'SncProbe' class, which is designed to run shell commands on MID servers, the researchers demonstrated the ability to execute arbitrary commands on these internal servers.
The implications of these vulnerabilities are severe. An attacker exploiting this chain could potentially access all data stored in a ServiceNow instance, including sensitive employee and HR records. Furthermore, the ability to execute commands on MID servers could provide initial access for further lateral movement within an organization's internal network.
Assetnote responsibly disclosed these vulnerabilities to ServiceNow on May 14, 2024. ServiceNow has since taken swift action to address the issues. For CVE-2024-4879, patches have already been applied to customer instances. CVE-2024-5178 and CVE-2024-5217 were addressed in June 2024, with patches applied to customer instances and hotfixes provided for those who may have opted out of automatic updates.
Organizations using ServiceNow are strongly advised to ensure they are running the latest patched versions of the platform. IT security teams should also review their ServiceNow configurations and access controls to minimize potential exposure.