ServiceNow Fixes Flaw That Could Lead to Unauthorized Access to Instances
ServiceNow is letting users know about a now-patched vulnerability that could allow a bad actor to gain authorized access to data in ServiceNow cloud instances after seeing what initially appeared to be malicious activity on some accounts earlier this month.
In a public advisory released this week, ServiceNow executives wrote that a number of customers between June 3 and 4 reported in their bug bounty programs about a security flaw that could lead to the unauthorized access, adding that those submissions echoed a confidential submission sent to ServiceNow’s bug bounty program on April 22.
An investigation found that there was “unattributed activity” on a subset of customer instances and a security patch was applied June 5.
In another advisory available to authenticated users and shared on Reddit, ServiceNow wrote that “we have detected anomalous activity relating to the security issue. For a subset of customers, we have observed evidence of successful queries of instance tables. We have notified customers if successful queries were observed via case.”
A Problem With the Australia Platform
According to the cloud-based business process vendor, the vulnerability was on its Australia platform release, though it could apply to users that had “made certain configuration changes” to instances on releases that came before Australia.
A person on the Reddit discussion thread that has goes by the handle “d3s7iny” wrote that it was their company’s security team that detected the vulnerability and reported it to ServiceNow, adding that the first two ServiceNow support agents recommended closing the case.
They persisted and proved to another agent that the vulnerability was real and that the security team hadn’t introduced the vulnerability itself. The person on Reddit said the team was shown an internal product backlog refinement (PBR) that indicated that ServiceNow was made aware of the bug April 7 but didn’t note it as a threat. Instead, ServiceNow planned to fix the security flaw in its upcoming Brazil platform.
Activity Likely Not Malicious
While saying they detected the “anomalous activity” related to the vulnerability, ServiceNow executives suggested that what was seen likely was not malicious.
In the public notice, they noted that two security researchers on June 7 submitted a report to the company’s bug bounty program, which could explain the unattributed activity.
“Based on our investigation to date, we have reason to believe the observed activity can be attributed to security researchers or customers conducting their own research,” they wrote. “Our investigation is ongoing, however, and subject to additional validation. Because this research spanned multiple organizations, some of our customers may have received related bug bounty submissions from the same researchers.”
Researchers’ Work Detected
Support cases were created for those customers that were probably queried as part of the security researchers’ activity. To ServiceNow, the researchers confirmed the IP addresses they used during their research and said they hadn’t taken screenshots of the data they were able to query, not used or kept any of it.
The researchers also told ServiceNow that “they queried tables and fields only for purposes of validating their finding and submitting bug bounty reports,” according to the vendor.
Executives wrote that the security update addresses an endpoint configuration so that it limits access to authenticated users.
The security update changes an endpoint configuration to limit access to authenticated users. ServiceNow is evaluating whether to publish a CVE identifier for the vulnerability and is continuing its investigation. However, there’s no need right now for users to do anything.
