A trio of critical ServiceNow vulnerabilities could be chained by an unauthenticated attacker for full remote code execution (RCE) – with nearly 42,000 ServiceNow instances exposed at disclosure in May.
So say security researchers at Assetnote – whose Adam Kues spent a month finding the trio of ServiceNow bugs, allocated CVE-2024-4879 (CVSS 9.8), CVE-2024-5178 (CVSS 7.5), and CVE-2024-5217 (9.2) respectively.
(No exploitation has been seen in the wild, but given the severity of the bugs, as those with bad intentions reverse the patch, self-hosted customers who have not adopted the hot-fixes can expect trouble.)
Describing the first CVE as a “jelly template injection vulnerability in ServiceNow UI macros”, ServiceNow now acknowledged in a public July 10 security advisory that the bug could “enable an unauthenticated user to remotely execute code within the context of the Now Platform.”
ServiceNow pushed fixes for hosted instances in June and has a list of patched versions and hot fixes for those who have yet to update.
See also: The rise of the Chief Product Security Officer
Assetnote this week published a detailed analysis of the attack path. Customers are encouraged to patch swiftly if they have not done so.
(The attack surface management firm praised ServiceNow’s security team for their swift patches in June and dubbed them “highly communicative with us on this report and excellent to work with” – always great to see – with Assetnote Co-Founder Shubham Shah saying ServiceNow responded "responded incredibly quickly" in the wake of his team's disclosure.)
Detailing the vulnerabilities, Assetnote said: "Since ServiceNow is typically cloud-hosted but requires access to data from a company's internal network, it's common to configure ServiceNow with a proxy server.
"This proxy server is known as a 'MID Server' and sits inside a company's internal network. Due to the design of ServiceNow, administrator access on a ServiceNow instance leads to command execution on the MID Server, so the impacts of an authentication bypass are typically quite serious..."
See the full vulnerability analysis here.