1.2 C
New York
Wednesday, December 25, 2024

Misconfigured ServiceNow Data Bases Expose Confidential Info


Customers of ServiceNow, a cloud-based platform used to handle IT companies and processes, may very well be unknowingly exposing confidential data, together with names, telephone numbers, inner system particulars, and lively credentials.

Misconfiguration of Data Bases — self-service platforms inside ServiceNow the place customers can create, retailer, and share data comparable to articles and guides — might result in unauthorised people having access to the system. Many organisations use Data Bases as repositories of delicate inner data, comparable to the right way to reset firm passwords, how to answer a cyberattack, information associated to HR processes, and extra.

In keeping with a new weblog from SaaS safety platform supplier AppOmni, round 60% of exposures contain older variations of Data Bases which might be set as much as permit public entry by default. Others have “Consumer Standards” — guidelines that outline particular situations for customers to entry or contribute to Data Bases — which might be unintentionally granting entry to unauthenticated customers.

SEE: ServiceNow vs Jira Service Administration

ServiceNow is utilized by 85% of Fortune 500, and over a thousand cases are at the moment arrange incorrectly. Many organisations with a number of ServiceNow cases had been discovered to have constantly misconfigured Data Base entry controls, indicating that the settings had been both cloned throughout cases or a elementary misunderstanding of how they work exists.

Aaron Costello, chief of SaaS safety analysis at AppOmni, mentioned, “This highlights the pressing want for enterprises to routinely examine and replace their safety configurations to stop unauthorised entry and shield their information property.

“Understanding these points and the right way to mitigate them is crucial for sustaining strong safety in enterprise SaaS environments.”

This isn’t the primary time ServiceNow has been discovered to have been exposing delicate information as a result of person misconfigurations. In 2020, one other researcher reported the same discovering the place Data Base articles had been publicly accessible via a now-secure UI web page.

Ben De Bont, chief data safety officer at ServiceNow, mentioned, “ServiceNow is dedicated to fostering collaboration with the safety group. We’re dedicated to defending our prospects’ information, and safety researchers are necessary companions in our ongoing efforts to enhance the safety of our merchandise.”

What are the Data Base misconfigurations?

AppOmni found three circumstances whereby companies had been placing their ServiceNow Data Bases vulnerable to compromise:

  1. If utilizing an older model of ServiceNow the place the default settings for Data Base permit public entry when Consumer Standards aren’t arrange.
  2. If the “Any Consumer” and “Any person for kb” Consumer Standards are used as allowlists. Each of those grant entry to unauthenticated customers, which directors might not realise.
  3. If directors don’t configure denylists, permitting exterior customers to bypass entry controls.

SEE: 6 Greatest Governance, Danger & Compliance (GRC) Instruments for 2024

How attackers can acquire entry to the Data Bases

In keeping with Costello’s proof of idea, attackers can acquire entry to misconfigured Data Bases via Public Widgets, such because the “KB Article Web page” widget, which shows content material from a selected Data Base article.

An attacker can automate requests to seek out and entry articles via the widget utilizing a device known as Burp Suite. That is simpler with the KB Article Web page widget, which makes use of a predictable format for article IDs of “KBXXXXXXX,” the place X represents a optimistic integer.

Burp Suite’s Intruder function can rapidly iterate over these integers and determine articles that could be uncovered unintentionally. It could actually then return the physique textual content, which can comprise the delicate information of a number of unsecured articles directly.

Find out how to safe Data Bases in opposition to unauthorised entry

Run common diagnostics on Data Base entry controls

ServiceNow’s Consumer Standards diagnostics device permits directors to find out which customers, each authenticated and unauthenticated, have the flexibility to entry Data Bases and particular person articles.

Navigate to /get_public_knowledge_bases.do to determine public Data Bases, and the total diagnostics device at /km_diagnostics.do to determine the entry stage of public and private customers to particular person articles.

Use Enterprise Guidelines to disclaim unauthenticated entry to Data Bases by default

Make sure the “sys_id 6c8ec5147711111016f35c207b5a9969” Enterprise Rule — which provides the Visitor Consumer to the “Can’t Learn and Can’t Contribute” Consumer Standards — is activated for Data Bases.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles