ServiceNow misconfiguration went unexploited, but still cause for concern

News of a misconfiguration in ServiceNow caused great concern over the past several days because it’s estimated that 80% of Fortune 500 companies deploy ServiceNow. 

If a company was breached, security experts said there would have been direct risks such as data leaks, including passwords, sensitive ticket info, and PII, as well as indirect risk for social engineering campaigns and impact on the organization’s reputation.

But as of Oct. 31, there are no known reported exploits or data loss as a result of the ServiceNow misconfiguration.

Maor Bin, co-founder and CEO at Adaptive Shield, said since reports of the ServiceNow misconfiguration came out last week, his research team detected more than 5,000 exposed companies, where many were Fortune 500 businesses. Bin said once ServiceNow released the fix reportedly on Oct. 20, his team reassessed the exposed portals and found that 99% of the tables within the portals are not accessible, leaving just 1% of affected organizations exposed.

“A single misconfiguration is an Achilles heel to an organization’s SaaS app stack,” said Bin. “They provide an inadvertent gateway for potential threats. In my experience, I have seen this type of misconfiguration be a default one, across many critical apps — and it underscores the importance of meticulous configuration management, where each setting is checked and monitored for compliance.

Bin said the exposure — which dates back to 2015 — was the result of a set of configurations for the ServiceNow Simple List widget that lets the data in the tables be accessed remotely by unauthenticated users. These tables organize information from multiple sources and have configurations with a default setting of public access.

Because these tables are the core of ServiceNow, Bin said the issue isn’t contained within a single setting that can security teams can fix. Potentially, the team needs to remediate this in multiple locations within the application in combination with the usage of the UI widget, and throughout all tenants. To further complicate the issue, changing a single setting could break existing workflows connected to the Simple List tables, causing severe disruption of existing processes.

“We recommend all companies check their ServiceNow tenants to make sure that they aren’t leaking data,” said Bin. “Companies that are still exposed are at high risk of data loss.”

Bin also added that his team’s research is only based on one sampling and does not serve as a conclusive number on the full risk to companies running ServiceNow.  

Internal audits serve their purpose

It was likely an internal audit that helped ServiceNow uncover this misconfiguration, and it’s a great example of how and why we audit our policies and programs to ensure security best practices, said Aubrey Perin, lead threat intelligence analyst at Qualys. Perin said misconfigurations are common enough that many vendors have services to help businesses audit configurations to uncover misconfigurations that could compromise security and allow would-be hackers to make easy gains.

“For companies that are impacted by this issue, the best way for security teams to remediate would be to do a test on a smaller subset of the service environment or backup to ensure that the fixes don't cause further issues for the organization,” said Perin. “It may also be a good time to re-evaluate whether services could be moved to network isolated segments, or otherwise, redefine network utilization. The right move will vary by organization and be dependent on its individual risk appetite. Organizations should follow guidance from ServiceNow and work with them to restore and ensure service.”

Because this misconfiguration gives access to dashboards, not only the loss of data becomes an issue, but also what types of data are important to the business are revealed, said John Gallagher, vice president of Viakoo Labs. Gallagher said ServiceNow gives a unique insight as to how the business views it’s most important metrics. 

“Now that security controls have gotten to the point where no one can keep track of them (or set them properly), expect to see AI-based solutions claiming to solve this problem,” said Gallagher. “In all likelihood, in the future, AI should take care of this. While I can’t point to specific data leaks, with the publication of this, there are a lot of attempts being made and they will continue. Application-based discovery, and knowledge of where instances of ServiceNow are running will definitely help to address the misconfiguration issue.”