ServiceNow Data Exposure - Adaptive Shield

ServiceNow Data Exposure

Adaptive Shield Team

Earlier this week, ServiceNow announced on its support site that misconfigurations within the platform could result in “unintended access” to sensitive data. For organizations that use ServiceNow, this security exposure is a critical concern that can result in a major data leakage of sensitive corporate data.

ServiceNow is a cloud-based platform used for automating IT service management, IT operations management, and IT business management for customer service, as well as HR, security operations, and a wide variety of additional domains. This SaaS application is considered to be one of the top business-critical applications due to its infrastructural nature, extensibility as a development platform, and access to confidential and proprietary data throughout the organization.

Simple List is an interface widget that pulls data that is stored in tables and uses them in dashboards. The default configuration for Simple List allows the data in the tables to be accessed remotely by unauthenticated users. These tables include sensitive data, including content from IT tickets, internal classified knowledge bases, employee details, and more.    

These misconfigurations have actually been in place since the introduction of Access Control Lists in 2015. To date, there were no reported incidents as a result. However, considering the recent publication of the data leakage research, leaving it unresolved can now expose companies more than ever.

Inside the ServiceNow Misconfigurations

It’s important to point out that this issue was not caused by a vulnerability in ServiceNow’s code but by a combination of configurations that exist throughout the platform.

This issue stems from security controls in a ServiceNow Access Control List (ACL) widget called Simple List, which puts records into easily readable tables. These tables organize information from multiple sources and have configurations with a default setting of Public Access. 

Because these tables are the core of ServiceNow, the issue isn’t contained within a single setting that can be fixed. Potentially, this needs to be remediated in multiple locations within the application in combination with the usage of the UI widget, and throughout all tenants. To further complicate the issue, changing a single setting could break existing workflows connected to the Simple List tables, causing severe disruption of existing processes.

On the other hand, leaving these tables and applications exposed could have major security implications now that this issue has received so much attention.  

Remediation Steps

We encourage all ServiceNow customers to review the recent guidance published by ServiceNow in their knowledge base article – General Information | Potential Public List Widget Misconfiguration.

To summarize, exposure assessment and remediation measures shall include:

Automate Data Leakage Prevention for ServiceNow

Organizations that use a SaaS Security Posture Management (SSPM) solution are able to gain visibility into ServiceNow’s configurations and remediate the issue based on the recommendations. 

Image 1: Adaptive Shield dashboard with the compliance framework: ServiceNow KB1553688 – Public List Widget Misconfiguration

Complimentary Assessment to Quantify Exposure

To help organizations secure ServiceNow, Adaptive Shield is offering a free ServiceNow assessment for this issue. After a quick validation of your org, our Security research team will send you a report detailing any exposure your portals may have from this misconfiguration.

Click here to request the complimentary assessment.

About the writer

Adaptive Shield Team

Businesses today run nearly every facet of their operations using a wide array of interconnected SaaS apps. Adaptive Shield’s team is here to keep you informed as well as help you secure your SaaS estate.