October 26, 2023 at 04:32AM
ServiceNow is issuing a fix for a vulnerability that allows unauthenticated attackers to steal sensitive files. The flaw involves default configurations of ServiceNow’s widgets, which can expose personal data. Despite previous code changes, the default configuration still sets widgets to return specified data, making them accessible to attackers. ServiceNow has released a fix and recommends defining role, condition, and script checks on all Access Control Lists (ACLs) to mitigate unauthorized access attempts. Customers are urged to review widgets and apply IP access control if external access isn’t necessary.
According to the meeting notes, ServiceNow is issuing a fix for a flaw that allowed unauthenticated attackers to steal an organization’s sensitive files. This flaw was highlighted by security researcher Aaron Costello, who found issues with the default configurations of ServiceNow’s widgets, exposing personal data. ServiceNow has updated the default configuration of the widgets to improve safety, but the records are still public if left unchanged, allowing attackers to retrieve specific data. ServiceNow has stated that it works regularly with customers to ensure security configurations are properly implemented for each organization. The issue is related to the widgets used in ServiceNow’s platform, and it involves the Access Control Lists (ACLs) that govern resource access. If an ACL is blank, access attempts resolve to true, granting access to potential attackers. Researchers were able to retrieve personally identifiable information (PII) and internal documents using this method. ServiceNow made some tweaks to address the issue, but Costello suggests that more needs to be done to fully secure the platform. ServiceNow did not have any public documentation on the affected component, and the communication with customers regarding this issue was limited. After the research gained attention, ServiceNow released a second fix to set all blank ACLs to disallow public access by default. Customers were advised to define the role, condition, and script checks on all ACLs for better security.