- ServiceNow fixed three flaws in July 2024, but researchers from GreyNoise saw a resurgence of abuse
- The flaws can be used for full database access
- Users should patch immediately to make sure they are protected
There has been a “notable resurgence” in the abuse of three concerning ServiceNow security vulnerabilities, experts are warning.
In May 2024, security researchers from Assetnote found vulnerabilities, tracked as CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217, which ServiceNow patched in July of the same year.
However, it seems that many organizations did not get the memo, since their instances remained unpatched, and have now become a target, according to researchers from GreyNoise.
Chaining the bugs
The researchers found there has been a significant uptick in the attacks abusing these flaws, and although they couldn’t attribute the attacks to any known threat actors, they did note that almost three-quarters (70%) of the attacks targeted Israeli firms. Notable activity was also spotted in Germany, Japan, and Lithuania.
The vulnerabilities can be abused separately, but when they’re chained, they grant “full database access,” GreyNoise added, which puts vulnerable organizations at immense risk, since ServiceNow is used to handle sensitive employee information.
The attackers would inject a payload which checks for a specific result in the server response. If it gets the appropriate one, it deploys a second-stage payload that checks the contents of the database.
The last step is to dump user lists and account credentials. While most of the time the credentials are hashed, there are some examples where the credentials were dumped in plaintext.
That can lead to account compromise which, in turn, can carry devastating consequences, such as ransomware attacks.
ServiceNow is a cloud-based platform that provides enterprise IT service management (ITSM) and automation solutions.
It helps organizations streamline workflows, automate business processes, and improve efficiency across IT, HR, customer service, security, and other departments.
ServiceNow has almost 300,000 internet-exposed instances, making it quite a popular solution.
Some of its clients include Coca-Cola (uses it for streamlining IT service management), Dell (IT service automation and management), Deloitte (IT service automation and optimization), and the State of California ( managing state-wide IT services and operations).
Via TechCrunch
Leave a comment