A recent analysis indicated that more than 1,000 business ServiceNow instances have inadvertently unveiled confidential corporate information through their Knowledge Bases (KBs), presenting notable security hazards to affected entities.
Research carried out by AppOmni in the past year discovered that almost 45% of the complete enterprise instances examined had inaccurately set KB access controls, resulting in the exposure of private data like Personally Identifiable Information (PII), internal system particulars, and active credentials or tokens linked to live production systems.
Enterprises with numerous ServiceNow instances consistently misconfigured KB access controls for each instance, indicating a uniform misunderstanding or unintentional duplication of subpar controls.
The underlying issue of this vulnerability is rooted in the intricate nature of User Criteria, which are utilized to safeguard KBs instead of Access Control Lists (ACLs).
In contrast to ACLs, which recently received improvements with a ‘UserIsAuthenticated’ Security Attribute, User Criteria do not gain from this supplemental layer of security.
“The core issue (inaccurate ACLs), was resolved by automatically incorporating a security attribute to the out-of-the-box (OOB) ACLs, while the pathways for data exposure (public widgets) were alleviated through the implementation of system features that restricted the data accessible to the widgets,” mentioned Aaron Costello, from AppOmni stated.
Furthermore, many system administrators are unaware that specific User Criteria, such as ‘Any User’ and ‘Any user for kb’, provide access to unverified users, leading to inadvertent data disclosure.
The examination also emphasized that numerous enterprise instances established prior to the Orlando release still retain the unsecured ‘allow public access by default’ setting for KBs.
This, when coupled with the complex interplay between multiple system attributes and their impact on access, has brewed a perfect environment for data breaches.
To showcase how effortlessly an unauthenticated malevolent actor could reach an insecure KB article, the researcher provided a demonstration using an HTTP proxy such as Burp Suite.
This technique allows for the systematic testing of article IDs, facilitating the swift identification and access of exposed articles.
In response to these discoveries, entities are strongly advised to promptly fortify their KBs. This encompasses staying informed about pertinent security attributes, activating predefined Business Rules to deter unauthenticated access by default, and regularly conducting assessments on KB access controls using ServiceNow’s integrated utilities.
By rectifying these vulnerabilities, entities can substantially diminish the likelihood of data breaches and safeguard their critical resources.
The article 1,000+ ServiceNow Instances Leaking Corporate Data Via Knowledge Bases was first published on Cyber Security News.