Patch/Configuration Management, Cloud Security, Security Staff Acquisition & Development
ServiceNow misconfiguration went unexploited, but still cause for concern

Just 1% of 5,000 companies remain exposed to a vulnerability in ServiceNow, according to research by Adaptive Shield. (Adobe Stock)
News of a misconfiguration in ServiceNow caused great concern over the past several days because it’s estimated that 80% of Fortune 500 companies deploy ServiceNow. If a company was breached, security experts said there would have been direct risks such as data leaks, including passwords, sensitive ticket info, and PII, as well as indirect risk for social engineering campaigns and impact on the organization’s reputation.But as of Oct. 31, there are no known reported exploits or data loss as a result of the ServiceNow misconfiguration.Maor Bin, co-founder and CEO at Adaptive Shield, said since reports of the ServiceNow misconfiguration came out last week, his research team detected more than 5,000 exposed companies, where many were Fortune 500 businesses. Bin said once ServiceNow released the fix reportedly on Oct. 20, his team reassessed the exposed portals and found that 99% of the tables within the portals are not accessible, leaving just 1% of affected organizations exposed. “A single misconfiguration is an Achilles heel to an organization’s SaaS app stack,” said Bin. “They provide an inadvertent gateway for potential threats. In my experience, I have seen this type of misconfiguration be a default one, across many critical apps — and it underscores the importance of meticulous configuration management, where each setting is checked and monitored for compliance.Bin said the exposure — which dates back to 2015 — was the result of a set of configurations for the ServiceNow Simple List widget that lets the data in the tables be accessed remotely by unauthenticated users. These tables organize information from multiple sources and have configurations with a default setting of public access.Because these tables are the core of ServiceNow, Bin said the issue isn’t contained within a single setting that can security teams can fix. Potentially, the team needs to remediate this in multiple locations within the application in combination with the usage of the UI widget, and throughout all tenants. To further complicate the issue, changing a single setting could break existing workflows connected to the Simple List tables, causing severe disruption of existing processes.“We recommend all companies check their ServiceNow tenants to make sure that they aren’t leaking data,” said Bin. “Companies that are still exposed are at high risk of data loss.”Bin also added that his team’s research is only based on one sampling and does not serve as a conclusive number on the full risk to companies running ServiceNow.
An In-Depth Guide to Cloud Security
Get essential knowledge and practical strategies to fortify your cloud security.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds