On October 18, 2023, ServiceNow published a knowledge base article revealing that they are aware of reporting that details a potential misconfiguration issue. This issue lies in the Access Control Lists (ACL) within ServiceNow that if misconfigured could result in unauthenticated threat actors being able to access data. The issue was discovered by a security engineer at AppOmni, and was disclosed in a blog to the public on October 14, 2023.
In public instances of ServiceNow portals, if an Access Control List (ACL) is configured with no role, no condition, and no script a threat actor could abuse the SimpleListWidget (a ServiceNow widget that is set to public without any roles defined by default) to read specific tables that could include sensitive data.
Note: If ACLs are configured correctly or the widget is not public, threat actors cannot access the tables.
Misconfigurations in ServiceNow are common; in 2022, AppOmni also identified nearly 70% of tested ServiceNow instances were vulnerable to a nearly identical misconfiguration where the root cause was due to a combination of misconfigured ACLs and over-provisioning of permissions to guest users.
Opportunistic threat actors could leverage this misconfiguration to exfiltrate sensitive data from organizations in the near future. If a threat actor is attempting to abuse this misconfiguration and does not have the site’s schema, they will not be able to read customer tables or tables specific to the ServiceNow applications as the payload needs the table name as an input.
Arctic Wolf is aware that ServiceNow has been contacting some of their customers about proactive maintenance actions taken to remediate this issue.
Recommendation #1: Identify/fix Issue if Potentially Vulnerable
ServiceNow has provided instructions that customers can follow for identification and fixing of the issue in the instance. Performing the following actions will ensure that unauthenticated users cannot read tables through the SimpleListWidget or other public portal widgets:
- Identify any ACLs are configured in your instance
- Update the ACLs by adding gs.isLoggedIn() to the script section of the ACL
Note: If you desire for unauthenticated users to read the data in question, no action is required.
Recommendation #2: Instance Hardening
ServiceNow has also provided additional steps that customers can perform to further secure their instance:
- Review ACLs: ACLs that are empty or contain the role “Public” should be reviewed to determine if the underlying data should be publicly accessible.
- Review public widgets: Public widgets should be reviewed and if public access is deemed not necessary should have the “Public” flag set to false.
- IP access control: Limit access to trusted IP addresses.
- Review Knowledge Base user criteria definitions: Confirm that access to Knowledge Base content aligns with your requirements. Further details by ServiceNow can be found here.
- Review transaction logs: For instances with SimpleListWidget and tables or columns configured with ACLs with no role, no condition, and no script, we recommend that you review your transaction logs as described in KB1555166 to evaluate whether access occurred as intended and in accordance with your business needs.