Earlier this week, ServiceNow announced on its support site that misconfigurations within the platform could result in “unintended access” to sensitive data. For organizations that use ServiceNow, this security exposure is a critical concern that could have resulted in major data leakage of sensitive corporate data. ServiceNow has since taken steps to fix this issue.
This article fully analyzes the issue, explains why this critical application misconfiguration could have had serious consequences for businesses, and remediation steps companies would take, if not for the ServiceNow fix. (Although, recommended to double check that the fix has closed the organization’s exposure.)
In a Nutshell
ServiceNow is a cloud-based platform used for automating IT service management, IT operations management, and IT business management for customer service, as well as HR, security operations, and a wide variety of additional domains. This SaaS application is considered to be one of the top business-critical applications due to its infrastructural nature, extensibility as a development platform, and access to confidential and proprietary data throughout the organization.
Simple List is an interface widget that pulls data that is stored in tables and uses them in dashboards. The default configuration for Simple List allows the data in the tables to be accessed remotely by unauthenticated users. These tables include sensitive data, including content from IT tickets, internal classified knowledge bases, employee details, and more.
These misconfigurations have actually been in place since the introduction of Access Control Lists in 2015. To date, there were no reported incidents as a result. However, considering the recent publication of the data leakage research, leaving it unresolved could have exposed companies more than ever.
This exposure was the result of just one default configuration — and there are hundreds of configurations covering access control, data leakage, malware protection, and more that must be secured and maintained. For organizations using an SSPM (SaaS Security Posture Management solution), like Adaptive Shield, organizations can more easily identify risky misconfigurations and see if they are compliant or non-compliant (see image 1 below).
Inside the ServiceNow Misconfigurations
It’s important to reiterate that this issue was not caused by a vulnerability in ServiceNow’s code but by a configuration that exists within the platform.
This issue stems from security controls in a ServiceNow Access Control List (ACL) widget called Simple List, which puts records into easily readable tables. These tables organize information from multiple sources and have configurations with a default setting of Public Access.
Because these tables are the core of ServiceNow, the issue wasn’t contained within a single setting that can be fixed. It needed to be remediated in multiple locations within the application in combination with the usage of the UI widget, and throughout all tenants. Further complicating the issue, was that changing a single setting could break existing workflows connected to the Simple List tables, causing severe disruption of existing processes.
Published by ServiceNow in their knowledge base article – General Information | Potential Public List Widget Misconfiguration, the exposure assessment and remediation measures include:
- Review Access Control Lists (ACLs) that either are entirely empty or, alternately, contain the role “Public”
- Review public widgets and set the “Public” flag to false where it is not aligned with their use cases
- Consider using stricter access control measures using built-in controls offered by ServiceNow, such as IP Address Access Control or Adaptive Authentication
- Consider installing ServiceNow Explicit Roles Plugin. ServiceNow states that the plugin prevents external users from accessing internal data and instances using this plugin are not affected by this issue (the plugin ensures that every ACL declares at least one role requirement)
These recommended remediation steps can still be utilized for organizations that are exposed (even after the fix) as it’s worth double checking to ensure top security throughout the organization.
Automate Data Leakage Prevention for ServiceNow
Organizations that use a SaaS Security Posture Management (SSPM) solution, like Adaptive Shield, are able to gain visibility into ServiceNow’ and any other SaaS app’s configurations and remediate any configuration issue.
|Image 1: Adaptive Shield dashboard with the compliance framework: ServiceNow KB1553688 – Public List Widget Misconfiguration|
SSPMs alert security teams when there are high-risk configurations, enabling them to adjust their settings and prevent any type of data leakage. This way, companies gain a better understanding of their company’s attack surface, level of risk, and security posture with an SSPM.