On July 10, 2024, ServiceNow disclosed a series of critical vulnerabilities impacting their platform, identified as CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217. These vulnerabilities were responsibly disclosed to ServiceNow in May 2024 by Assetnote, a cybersecurity firm. ServiceNow responded by patching hosted instances in June 2024.
In the research article published by Assetnote, it was demonstrated that the 3 vulnerabilities could be chained together to achieve unauthorized remote code execution on ServiceNow MID server, which is a component that is used as a proxy to ServiceNow cloud instances. In a typical configuration, ServiceNow MID is deployed behind the firewall and initiates connections to ServiceNow cloud instances in a unidirectional fashion.
The exploitation of these vulnerabilities could lead to remote code execution, unauthorized access of sensitive data, or disruption of operations for affected organizations. Although there have been no reports of these vulnerabilities being exploited in the wild, threat actors are expected to develop their own exploits based on the technical details that have been published. However, since ServiceNow MID is deployed within internal networks and is not designed for inbound communications from the internet, threat actors would require access to internal networks where the vulnerable service resides to exploit these vulnerabilities.
Vulnerabilities CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217
These vulnerabilities were first publicly disclosed on July 10, 2024 by ServiceNow.
| CVE-2024-4879 | CVSS 9.3 | Active Exploitation Reported? | Public PoC Exploit Code Published? | ||
| Unauthenticated RCE – Jelly Template Injection Vulnerability in ServiceNow UI Macros.
This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. |
No | No | |||
| CVE-2024-5178 | CVSS 6.9 | Active Exploitation Reported? | Public PoC Exploit Code Published? | ||
| Unauthorized File Access – Incomplete Input Validation in SecurelyAccess API.
This vulnerability could allow an administrative user to gain unauthorized access to sensitive files on the web application server. |
No | No | |||
| CVE-2024-5217 | CVSS 9.2 | Active Exploitation Reported? | Public PoC Exploit Code Published? |
| Unauthenticated RCE – Incomplete Input Validation in GlideExpression Script.
This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. |
No | No | |
Affected and Fixed Products/Versions
| Release | Fixed Version |
| Utah | Utah Patch 10 Hot Fix 3
Utah Patch 10a Hot Fix 2 Utah Patch 10b Hot Fix 1 |
| Vancouver | Vancouver Patch 6 Hot Fix 2
Vancouver Patch 7 Hot Fix 3b Vancouver Patch 8 Hot Fix 4 Vancouver Patch 9 Hot Fix 1 Vancouver Patch 10 |
| Washington | Washington DC Patch 1 Hot Fix 3b
Washington DC Patch 2 Hot Fix 2 Washington DC Patch 3 Hot Fix 2 Washington DC Patch 4 Washington DC Patch 5 |
Recommendations for CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217
Upgrade To a Fixed Version of ServiceNow
Arctic Wolf strongly recommends upgrading to the latest patched versions of the ServiceNow platform. Please refer to the official ServiceNow advisories for detailed information on the patched versions.
For more details, see the advisories published for each vulnerability:
Please follow your organization’s patching and testing guidelines to avoid any operational impact.
References
Stay up to date with the latest security incidents and trends from Arctic Wolf Labs.
Explore the latest global threats with the 2024 Arctic Wolf Labs Threats Report.
