Source URL: https://www.theregister.com/2024/09/19/servicenow_knowledge_base_leaks/
Source: The Register
Title: Thousands of orgs at risk of knowledge base data leaks via ServiceNow misconfigurations
Feedly Summary: Better check your widgets, people
Security researchers say that thousands of companies are potentially leaking secrets from their internal knowledge base (KB) articles via ServiceNow misconfigurations.…
AI Summary and Description: Yes
Summary: Recent findings by security researchers reveal significant vulnerabilities in ServiceNow configurations that may expose sensitive internal knowledge base articles to unauthorized access. Approximately 30% of ServiceNow customers may unintentionally leak confidential information due to misconfigured settings, emphasizing the need for better security practices around knowledge management systems.
Detailed Description:
The investigation by Aaron Costello from AppOmni and Dan Meged from Adaptive Shield highlights a critical security risk associated with ServiceNow’s knowledge base (KB) configurations. Their findings focus on:
– **Misconfiguration Issues**: Many companies have set their knowledge bases to “public” while individual articles remain “private,” leading to potential leaks of sensitive information, such as first-time access passwords for VPN connections.
– **Extent of the Exposure**:
– Meged reports that around 30% of ServiceNow customers are potentially exposed to data leaks.
– Costello found 45% of the examined ServiceNow instances are inadvertently disclosing data through these misconfigurations.
– **Understanding KB Pages and Widgets**:
– KB pages differ from KB articles; they may include multimedia content, while KB articles are the actual documents users seek.
– Widgets are used for additional functionality (e.g., commenting and rating) and can inadvertently expose sensitive content if not configured correctly.
– **Technical Exploitation**:
– Attackers can exploit these misconfigurations using tools like Burp Suite to intercept HTTP requests and retrieve exposed KB content through predictable formats of article IDs.
– **Security Controls**:
– Despite the introduction of new security controls for widgets intended to prevent data exposure, these do not cover the vulnerabilities highlighted in the research primarily because most KB articles are protected using User Criteria instead of Access Control Lists (ACLs).
– The researchers emphasize applying the proper User Criteria as a mitigation strategy and activating the Business Rule introduced in 2022 to block Guest Users from accessing KB materials by default.
– **Administrator Recommendations**:
– Administrators are encouraged to review and enforce User Criteria, use the native User Criteria Diagnostics provided by ServiceNow, and ensure that security controls are appropriately configured to protect against unauthorized access.
– **Research Publication Context**: The findings by Costello and Meged were independently published with slight timing discrepancies, raising questions about the collaboration and acknowledgment of each other’s efforts.
Overall, this analysis underscores a substantial vulnerability tied to the misuse of settings within ServiceNow’s platform, highlighting essential best practices for system administrators in the fields of security, compliance, and governance within cloud infrastructure.