ServiceNow Knowledge Bases Exposing Sensitive Data Across Enterprise Instances

On September 17, 2024, AppOmni released a report exposing data vulnerabilities in ServiceNow’s Knowledge Bases (KBs). The report highlights significant risks related to misconfigured access controls that continue to jeopardize enterprise data security.

ServiceNow Knowledge Bases Exposing Sensitive Data Across Enterprise Instances
The original image was generated by OpenAI's DALL-E and edited by the author. Source: OpenAI (September 2024)

Introduction

On September 17, 2024, AppOmni released a report exposing data vulnerabilities in ServiceNow’s Knowledge Bases (KBs). The report highlights significant risks related to misconfigured access controls that continue to jeopardize enterprise data security. Despite ServiceNow's 2023 updates aimed at improving Access Control Lists (ACLs), these changes failed to adequately secure Knowledge Bases, leaving sensitive internal information at risk.

Report Overview

AppOmni’s investigation, spanning over a year, revealed that approximately 45% of tested ServiceNow enterprise instances had misconfigured KBs, inadvertently exposing sensitive data. This includes Personally Identifiable Information (PII), internal system details, and even active credentials. Costello’s research shows that this issue primarily stems from outdated configurations and a widespread misunderstanding of KB access controls, especially in organizations using multiple ServiceNow instances. These configurations often get replicated across instances through cloning, exacerbating the problem.

The vulnerability revolves around two major factors: misconfigured ACLs and the improper use of User Criteria. ServiceNow introduced a dual-layered security approach to mitigate the risk of data exposure by adding new security properties that block unauthenticated access to data widgets. However, Knowledge Bases are primarily secured using User Criteria, not ACLs, meaning that the added 'Security Attributes' have little to no impact on KBs.

Additionally, the report points out the persistent use of public-facing widgets that allow unauthenticated users to retrieve sensitive KB content. One such widget, the ‘KB Article Page,’ can be exploited through brute-force attacks using tools like Burp Suite to iterate through incremental article IDs (e.g., KB0000001), exposing the entire content of vulnerable articles.

Insights and Analysis

Aaron Costello emphasized the importance of securing Knowledge Bases through a more comprehensive approach beyond ACL updates. He attributes the ongoing vulnerabilities to a combination of factors, including the reliance on outdated default configurations, improper usage of User Criteria, and a lack of understanding among administrators about the relationship between User Criteria and access controls. These oversights allow unauthenticated users to slip through the cracks and access KB content meant for internal use only.

Preventative Measures

To mitigate these risks, organizations using ServiceNow are advised to:

  1. Regularly review and update KB access controls: Ensure that ACLs and User Criteria are appropriately configured for all instances, especially in older instances that may still retain insecure default settings.
  2. Enable business rules: ServiceNow introduced a business rule in 2022 that automatically denies unauthenticated access to new KBs by default. Organizations should ensure this rule is enabled and applied to all Knowledge Bases.
  3. Run diagnostics: Administrators should leverage ServiceNow’s built-in diagnostics tools to identify and address misconfigurations in KB access. Tools such as the User Criteria diagnostics feature can help pinpoint articles accessible to unauthenticated users.
  4. Maintain open communication with ServiceNow: Keeping up-to-date with the latest security patches and recommendations from ServiceNow’s security team is crucial for mitigating potential vulnerabilities.

Conclusion

The exposure of sensitive data via misconfigured Knowledge Bases is an ongoing issue for ServiceNow customers. While ServiceNow has taken steps to improve security, these measures fall short in addressing the vulnerabilities within KBs. Organizations must take proactive steps to ensure their Knowledge Bases are properly secured, minimizing the risk of unauthorized data access.

Indicators of Compromise (IOCs)

IndicatorTypeDescription
No specific Indicators of Compromise (IOCs) were provided in the source material.

MITRE ATT&CK Tactics and Techniques

TacticTechniqueIDDescription
Initial AccessExploit Public-Facing ApplicationT1190Attackers may exploit misconfigured or vulnerable ServiceNow Knowledge Bases to gain access to sensitive data.
DiscoveryApplication Layer ProtocolT1016Unauthenticated actors using public-facing widgets to query Knowledge Base articles through misconfigured ACLs.
Data ExfiltrationAutomated ExfiltrationT1020Unauthenticated users accessing sensitive Knowledge Base articles via brute force to extract information.

References

Enterprise ServiceNow Knowledge Bases at Risk | AppOmni
Read the blog to learn about ServiceNow’s Knowledge Base data exposure risks and how to mitigate these issues.