Over the last decade, ServiceNow has been deployed readily across enterprises. With its growing popularity, combined with the lack of visibility organizations have on its security posture, at Assetnote, we worked hard to discover vulnerabilities in the ServiceNow platform.
Assetnote Security Researcher, Adam Kues, spent over a month finding an exploit chain and was credited with CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217. At the time of discovery, these vulnerabilities affected an estimated 42,000+ ServiceNow instances globally.
The exploit chain would allow attackers to do the following on any ServiceNow instance without authentication (versions Vancouver and Washington):
1) Execute arbitrary Glide scripting language code
2) Executing arbitrary commands on any connected MID servers
3) Reading local system files
We released a vulnerability check through the Assetnote platform to identify vulnerable customer instances. Customers were provided a mitigation, long before any official patches were deployed.
We've gone into detail about the vulnerability and how it worked on our blog.
We reported this issue on May 14th, 2024. ServiceNow responded incredibly quickly and applied the update to all customers (excellent work!). We had the chance to work closely with their team to address these vulnerabilities, and they continued to roll out patches to secure customer instances.
To learn more about Assetnote, visit https://www.assetnote.io/.