Earlier this week, ServiceNow announced on its support site that misconfigurations within the platform could result in “unintended access” to sensitive data. For organizations that use ServiceNow, this security exposure is a critical concern that can result in a major data leakage of sensitive corporate data.
ServiceNow is a cloud-based platform used for automating IT service management, IT operations management, and IT business management for customer service, as well as HR, security operations, and a wide variety of additional domains. This SaaS application is considered to be one of the top business-critical applications due to its infrastructural nature, extensibility as a development platform, and access to confidential and proprietary data throughout the organization.
Simple List is an interface widget that pulls data that is stored in tables and uses them in dashboards. The default configuration for Simple List allows the data in the tables to be accessed remotely by unauthenticated users. These tables include sensitive data, including content from IT tickets, internal classified knowledge bases, employee details, and more.
These misconfigurations have actually been in place since the introduction of Access Control Lists in 2015. To date, there were no reported incidents as a result. However, considering the recent publication of the data leakage research, leaving it unresolved can now expose companies more than ever.
Inside the ServiceNow Misconfigurations
It’s important to point out that this issue was not caused by a vulnerability in ServiceNow’s code but by a combination of configurations that exist throughout the platform.
This issue stems from security controls in a ServiceNow Access Control List (ACL) widget called Simple List, which puts records into easily readable tables. These tables organize information from multiple sources and have configurations with a default setting of Public Access.
Because these tables are the core of ServiceNow, the issue isn’t contained within a single setting that can be fixed. Potentially, this needs to be remediated in multiple locations within the application in combination with the usage of the UI widget, and throughout all tenants. To further complicate the issue, changing a single setting could break existing workflows connected to the Simple List tables, causing severe disruption of existing processes.
On the other hand, leaving these tables and applications exposed could have major security implications now that this issue has received so much attention.
We encourage all ServiceNow customers to review the recent guidance published by ServiceNow in their knowledge base article – General Information | Potential Public List Widget Misconfiguration.
To summarize, exposure assessment and remediation measures shall include:
- Review Access Control Lists (ACLs) that either are entirely empty or, alternately, contain the role “Public”
- Review public widgets and set the “Public” flag to false where it is not aligned with their use cases
- Consider using stricter access control measures using built-in controls offered by ServiceNow, such as IP Address Access Control or Adaptive Authentication
- Consider installing ServiceNow Explicit Roles Plugin. ServiceNow states that the plugin prevents external users from accessing internal data and instances using this plugin are not affected by this issue (the plugin ensures that every ACL declares at least one role requirement)
Automate Data Leakage Prevention for ServiceNow
Organizations that use a SaaS Security Posture Management (SSPM) solution are able to gain visibility into ServiceNow’s configurations and remediate the issue based on the recommendations.
Complimentary Assessment to Quantify Exposure
To help organizations secure ServiceNow, Adaptive Shield is offering a free ServiceNow assessment for this issue. After a quick validation of your org, our Security research team will send you a report detailing any exposure your portals may have from this misconfiguration.