WARNING: 3 CRITICAL AND HIGH VULNERABILITIES IN SERVICENOW CAN BE CHAINED TO ACHIEVE FULL DATABASE MID SERVER ACCESS. PATCH IMMEDIATELY!

Published : 24/07/2024

Reference:
Advisory #2024-114

Version:
1.0

Affected software:
ServiceNow Now Platform

Type:
Remote code execution

CVE/CVSS:

CVE-2024-4879: 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

CVE-2024-5178: 6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)

CVE-2024-5217: 9.2 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

Sources

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1645154

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648312

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313

Risks

On 10 July 2024, ServiceNow released security updates that address 3 different vulnerabilities affecting ServiceNow’s Now Platform. Chained together, these vulnerabilities could be exploited by threat actors to obtain full access to databases and MID servers configured. MID servers are proxy servers sitting inside an organisation’s internal network used for the purpose of connecting to ServiceNow’s cloud.

ServiceNow’s Now Platform is a popular platform, widely used across the globe. Customers of ServiceNow often choose ServiceNow’s cloud offering, which makes these instances attractive targets as they may host sensitive data and are externally accessible.

At this time, ServiceNow did not address whether these vulnerabilities are being actively exploited (cut-off date: 24 July 2024). However, one security company reported having observed over 6.000 exploitation attempts . Another company reported on a proof of concept where they chained the vulnerabilities together to access data stored on ServiceNow.

Exploitation of these vulnerabilities can have a high impact on confidentiality, integrity and availability.

Description

There are 3 vulnerabilities which, chained together, can leverage template injection to give remote attackers full access to databases and MID servers configured. MID servers are proxy servers sitting inside an organisation’s internal network used for the purpose of connecting to ServiceNow’s cloud.

The 3 vulnerabilities are:

CVE-2024-2024-4879 is an input validation vulnerability. This vulnerability exists in the Vancouver and Washington DC releases of ServiceNow’s Now Platform.
Exploiting this vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform.
CVE-2024-5178 is a sensitive file read vulnerability. This vulnerability was identified in the Washington DC, Vancouver and Utah releases of ServiceNow’s Now Platform.
Successful exploitation of this vulnerability could allow an administrative user to gain unauthorized access to sensitive files on the web application server.
CVE-2024-5217 is an input validation vulnerability which was identified in the Washington DC, Vancouver and earlier releases of ServiceNow’s Now Platform.
Exploiting this vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices, after thorough testing.

ServiceNow reports these vulnerabilities are addressed in patches and hot fixes:

For CVE-2024-4879

For the Utah release, refer to fixed versions:

Utah Patch 10 Hot Fix 3
Utah Patch 10a Hot Fix 2

For the Vancouver release, refer to fixed versions:

Vancouver Patch 6 Hot Fix 2
Vancouver Patch 7 Hot Fix 3b
Vancouver Patch 8 Hot Fix 4
Vancouver Patch 9
Vancouver Patch 10

For the Washington release, refer to fixed versions:

Washington DC Patch 1 Hot Fix 2b
Washington DC Patch 2 Hot Fix 2
Washington DC Patch 3 Hot Fix 1
Washington DC Patch 4

For CVE-2024-5178

For the Utah release, refer to fixed versions:

Utah Patch 10 Hot Fix 3
Utah Patch 10a Hot Fix 2
Utah Patch 10b Hot Fix 1

For the Vancouver release, please refer to fixed versions:

Vancouver Patch 6 Hot Fix 2
Vancouver Patch 7 Hot Fix 3b
Vancouver Patch 8 Hot Fix 4
Vancouver Patch 9 Hot Fix 1
Vancouver Patch 10

For the Washington release, please refer to fixed versions:

Washington DC Patch 1 Hot Fix 3b
Washington DC Patch 2 Hot Fix 2
Washington DC Patch 3 Hot Fix 2
Washington DC Patch 4

For CVE-2024-5217

For the Utah release, refer to fixed versions:

Utah Patch 10 Hot Fix 3
Utah Patch 10a Hot Fix 2
Utah Patch 10b Hot Fix 1

For the Vancouver release, please refer to fixed versions:

Vancouver Patch 6 Hot Fix 2
Vancouver Patch 7 Hot Fix 3b
Vancouver Patch 8 Hot Fix 4
Vancouver Patch 9 Hot Fix 1
Vancouver Patch 10

For the Washington release, refer to fixed versions:

Washington DC Patch 1 Hot Fix 3b
Washington DC Patch 2 Hot Fix 2
Washington DC Patch 3 Hot Fix 2
Washington DC Patch 4
Washington DC Patch 5

Please note that while ServiceNow implemented several mitigations, achieving code execution remains possible as long as unescaped injection points remain.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise

References

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1645154

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648312

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313