Critical ServiceNow vulnerabilities

Executive Summary

CISA Added Three Known Exploited Vulnerabilities to Catalog of critical vulnerabilities in the ServiceNow platform, this has sent ripples across various sectors, including government agencies, data centers, energy providers, and software development firms. The vulnerabilities, designated CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, have high CVSS scores, underlining their critical nature. These vulnerabilities have been actively exploited in the wild, making it imperative for organizations to understand the threats and take immediate action to mitigate them.

Targeted Sectors and Countries

These Critical ServiceNow Vulnerabilities have been exploited primarily in the following sectors and countries:

- Sectors: Government agencies, data centers, energy providers, software development firms.

- Countries: United States, United Kingdom, Germany, Japan, South Korea.

Critical ServiceNow Vulnerabilities: Technical Information

CVE-2024-4879

Description: This vulnerability arises from an input validation flaw in ServiceNow's UI Macros. By exploiting this vulnerability, an attacker can perform unauthenticated remote code execution (RCE). The exploit leverages a Jelly Template Injection technique, allowing malicious actors to inject arbitrary code.

Impact: Given its CVSS score of 9.3, this vulnerability poses a severe threat to the integrity and availability of affected systems. Successful exploitation can lead to full system compromise, allowing attackers to execute arbitrary commands, steal sensitive data, and disrupt operations.

Mitigation: The best course of action is to upgrade to the latest patched version of ServiceNow as per the advisory KB1645154. For more details, visit the ServiceNow Advisory and Arctic Wolf Blog.

CVE-2024-5217

Description: This vulnerability is due to incomplete input validation in the GlideExpression Script of ServiceNow. It also enables unauthenticated RCE, making it a highly critical flaw.

Impact: With a CVSS score of 9.2, the impact is similarly severe. The exploit can allow attackers to gain unauthorized access and execute arbitrary commands on the affected systems, leading to potential data breaches and system takeovers.

Mitigation: Upgrading to the latest patched versions is crucial. Refer to the advisory KB1648312 for detailed mitigation steps. More information can be found on the Assetnote Research

CVE-2024-5178

Description: This vulnerability involves unauthorized file access due to incomplete input validation in the SecurelyAccess API. It allows administrative users to access sensitive files without appropriate authorization.

Impact: Given its CVSS score of 6.9, while not as critical as the previous two, it still poses a significant risk. Unauthorized access to sensitive files can lead to data breaches, compromising the confidentiality and integrity of the data.

Mitigation: Immediate upgrading to the latest patched versions is recommended. Refer to the advisory KB1648313 for guidance. Additional information is available on SecurityWeek.

Exploitation in the Wild

These vulnerabilities have not remained theoretical. They are actively being exploited by threat actors to steal sensitive information such as email addresses, hashed passwords, and other critical data. The targeted sectors include high-value entities like government agencies, data centers, energy providers, and software development firms.

Specific usage of these vulnerabilities includes:

- CVE-2024-4879: Attackers have been observed using Jelly Template Injection to gain remote code execution rights.

- CVE-2024-5217: Exploitation via incomplete input validation in the GlideExpression Script, leading to unauthorized RCE.

- CVE-2024-5178: Unauthorized administrative file access through the SecurelyAccess API.

APT Groups using this vulnerability

The exploitation campaign has seen involvement from various Advanced Persistent Threat (APT) groups known for targeting critical sectors. Among them:

- APT29 (Cozy Bear): Known for targeting government entities and private organizations.

- APT41 (Double Dragon): Active in targeting software development firms and energy providers.

These groups have a history of sophisticated exploits and are leveraging these new vulnerabilities to expand their reach and impact.

Affected Product Versions

The following versions of ServiceNow are impacted and have corresponding patches:

- Utah:

  - Patch 10 Hot Fix 3

  - Patch 10a Hot Fix 2

  - Patch 10b Hot Fix 1

- Vancouver:

  - Patch 6 Hot Fix 2

  - Patch 7 Hot Fix 3b

  - Patch 8 Hot Fix 4

  - Patch 9 Hot Fix 1

  - Patch 10

- Washington:

  - Patch 1 Hot Fix 3b

  - Patch 2 Hot Fix 2

  - Patch 3 Hot Fix 2

  - Patch 4

  - Patch 5

Workaround and Mitigation

1. Upgrade: The most effective mitigation strategy is to upgrade to the latest patched versions of ServiceNow as specified in the advisories.

2. Network Segmentation: Ensure that ServiceNow MID servers are properly segmented within internal networks to prevent unauthorized access.

3. Monitoring and Detection: Implement robust monitoring and detection mechanisms to identify and respond to any suspicious activities promptly.

4. Access Controls: Restrict administrative access and enforce the principle of least privilege to minimize potential exploitation vectors.

References

1. Arctic Wolf Blog

2. Assetnote Research

3. ServiceNow Advisory KB1645154

4. ServiceNow Advisory KB1648312

5. ServiceNow Advisory KB1648313

6. SecurityWeek

7. GitHub Exploit for CVE-2024-4879