A Wake-Up Call for Companies

Oct 30, 2023The Hacker NewsSaaS Security / Data Security

Disclosure of Data in the Service Now

Earlier this week, ServiceNow announced on its support site that misconfigurations within the platform could result in “inadvertent access” to sensitive data. For organizations using ServiceNow, this security exposure is a critical concern that could result in major data leaks of sensitive corporate data. ServiceNow has since taken steps to fix this issue.

This article thoroughly analyzes the issue, explains why this critical application misconfiguration can have serious consequences for businesses, and remedial steps to take in companies, if not for the ServiceNow fix. (However, it is recommended to double check that the fix closes the organization’s exposure.)

In a Nutshell

ServiceNow is a cloud-based platform used for automating IT service management, IT operations management, and IT business management for customer service, as well as HR, operations security, and a wide variety of additional domains. This SaaS application is considered one of the top business-critical applications due to the nature of the infrastructure, extensibility as a development platform, and access to confidential and proprietary data across the organization.

Simple List is an interface widget that pulls data stored in tables and uses it in dashboards. The default configuration for Simple List allows the data in the tables to be accessed remotely by untrusted users. These tables include sensitive data, including content from IT tickets, internal classified knowledge bases, employee details, and more.

These misconfigurations have been occurring since the introduction of Access Control Lists in 2015. To date, no incidents have been reported as a result. However, considering the recent publication of data leakage research, if it is not addressed companies may be more exposed than before.

This exposure is the result of just one default configuration — and there are hundreds of configurations covering access control, data leakage, malware protection, and more that must be secured and maintained. For organizations using an SSPM (SaaS Security Posture Management solution), such as Adaptive Shield, organizations can more easily identify dangerous misconfigurations and see if they are compliant or not (see picture 1 below).

Learn more about how SSPM secures critical apps in your SaaS stack

Inside ServiceNow Misconfigurations

It is important to reiterate that this issue is not due to a vulnerability in the ServiceNow code but to a configuration that exists within the platform.

This issue stems from security controls in a ServiceNow Access Control List (ACL) widget called Simple List, which places records in easy-to-read tables. These tables organize information from multiple sources and have configurations with a default setting of Public Access.

Since these tables are the core of ServiceNow, the issue is not within a single setting that can be fixed. This should be remedied in multiple locations within the application in conjunction with UI widget usage, and across all tenants. Further complicating the issue, is that changing a setting can break existing workflows connected to Simple List tables, causing severe disruption to existing processes.

Remedial Measures

ServiceNow published in their knowledge base article – General Information | Potentially Public List Widget Misconfigurationexposure assessment and remedial measures include:

  • Review Access Control Lists (ACLs) that are completely empty or, alternatively, have the role “Public”
  • Review the public widgets and set the “Public” flag to false where it doesn’t match their use cases
  • Consider using more stringent access control measures using built-in controls offered by ServiceNow, such as IP Address Access Control or Adaptive Authentication
  • Consider installing ServiceNow Explicit Roles Plugin. ServiceNow says that the plugin prevents external users from accessing internal data and that instances using this plugin are not affected by this issue (the plugin ensures that each ACL declares at least one paper requirements)

These recommended remediation steps are still applicable for exposed organizations (even after remediation) as it is worth double-checking to ensure maximum security across the organization.

Learn more about automating your ServiceNow Security

Automate Data Leakage Prevention for ServiceNow

Organizations using a SaaS Security Posture Management (SSPM) solution, such as Adaptive Shield, are able to gain visibility into ServiceNow’ and any other SaaS app configurations and fix any configuration issues.

Disclosure of Data in the Service Now
Figure 1: Adaptive Shield dashboard with compliance framework: ServiceNow KB1553688 – Public List Widget Misconfiguration

SSPMs alert security teams when there are high-risk configurations, enabling them to adjust their settings and prevent any kind of data leakage. In this way, companies gain a better understanding of their company’s attack surface, risk level, and security posture with SSPM.

Click here to request a demo and get a review of any app exposure


Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment