Three critical vulnerabilities in the ServiceNow IT service management platform have been disclosed and reported to have been under active exploitation.
The vulnerabilities have exposed sensitive information from over 105 organizations including government agencies, data centers, energy providers, and software development firms.
Threat actors are actively exploiting the flaws, CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, to steal email addresses, hashed passwords, and other sensitive data, according to cybersecurity firm Resecurity. The first two vulnerabilities have a CVSS score of 9.3 and 9.2 respectively.
Another research firm Assetnote added one more bug (CVE-2024-5178), with less severity, to the list, but said, that when chained together, hackers can exploit the vulnerabilities to access the ServiceNow database.
“These vulnerabilities enable unauthenticated remote attackers to execute arbitrary code within the Now Platform, potentially leading to compromise, data theft, and disruption of business operations,” Resecurity wrote in a blog post.
To add fuel to the fire, a report by DarkReading has claimed that the vulnerabilities have been exploited and data of various organizations have been stolen. More so, the stolen data, acquired using these vulnerabilities, is being offered for sale on the dark web for a mere $5,000, DarkReading reported citing BreachForums.
Resecurity said it is expected that the bad actors would “increasingly target” ServiceNow because of these vulnerabilities.
“There has been identified chatter on multiple underground forums on the Dark Web highlighting threat actors seeking compromised access to IT service desks, corporate portals, and other enterprise systems that typically provide remote access to employees and contractors,” Resecurity wrote in a blog. “These systems could be used for pre-positioning and attack planning, as well as reconnaissance.”
The firm further added that initial access brokers (IABs) “will be monetizing access to compromised enterprise portals and applications on the Dark Web, leveraging infostealers (malware) and digital identity leaks, due to poor network hygiene (on the customer side).”
“This vulnerability affects a significant number of ServiceNow sites across various industries, highlighting the importance of immediate action to secure these environments,” wrote Imperva, a Thales company, in its blog post explaining the vulnerabilities.
According to ServiceNow, it learned of the vulnerability on the Now Platform impacting instances running on the Vancouver and Washington, D.C. family releases on May 14, 2024. “That day, we deployed an update and have since issued a series of patches designed to address the issue,” a ServiceNow spokesperson said.
The company added that based on its investigation to date, it has not observed evidence that the activity mentioned in the Resecurity blog post is related to instances that ServiceNow hosts. “We have encouraged our self-hosted and ServiceNow-hosted customers to apply relevant patches if they have not already done so. We will also continue to work directly with customers who need assistance in applying those patches, as we have from day one,” the spokesperson said.
Understanding the vulnerabilities
The vulnerabilities in ServiceNow let anyone run code on the platform remotely without needing to log in. According to Resecurity, CVE-2024-4879 and CVE-2024-5217 are input validation vulnerabilities in ServiceNow’s “Vancouver” and “Washington DC” versions that allow unauthenticated remote attackers to execute arbitrary code with relative ease.
CVE-2024-4879 is related to Authentication Bypass. This flaw lets attackers bypass authentication and access the ServiceNow platform without permission. They can remotely execute code by exploiting this vulnerability.
CVE-2024-5217 pertains to Arbitrary Data Access. This vulnerability lets attackers access and extract any data stored in the ServiceNow system. This includes sensitive information, customer data, and internal communications, posing a serious threat to business operations and data privacy.
The third one, CVE-2024-5178, is related to Privilege Escalation and allows attackers to increase their access level within the ServiceNow system. With elevated permissions, attackers can gain administrative control, making it easier to alter data and system settings.
The US Cybersecurity and Infrastructure Security Agency (CISA) has already added these vulnerabilities to its known exploited vulnerabilities catalog, urging federal civilian executive branch agencies to apply the patches by August 19 or discontinue the use of ServiceNow until remediation.
Resecurity emphasized that some affected organizations were using outdated or poorly maintained instances and were unaware of the released patches. This underscores the critical need for organizations to maintain up-to-date software and apply security patches promptly to mitigate risks.
“It is crucial for organizations using ServiceNow to apply these updates immediately to protect their systems and data from potential attacks,” Resecurity suggested in the blog.