A recent security report revealed that over 1,000 ServiceNow instances are leaking sensitive information through misconfigured Knowledge Base (KB) articles. This leak poses a risk by exposing private company data to anyone on the internet. This article discusses how this happened and what companies can do to protect their information.
What is ServiceNow?
ServiceNow is a popular software platform used by many organizations. It helps manage tasks across different departments. Companies use it for IT services, handling customer inquiries, and keeping a knowledge base of articles. The knowledge base contains useful guides and information for employees. However, some of this information should not be publicly available.
Why is the Leak Serious?
The leaked KB articles contained sensitive data. This includes personally identifiable information, system details, user credentials, and access tokens to live systems. Any person who finds these articles could exploit the information for harmful purposes. This makes it essential for companies to control who can access their data.
How Did This Happen?
The problem is with how some ServiceNow instances are set up. Many organizations do not configure their access settings correctly. This mistake allows outsiders to see important KB articles. Although ServiceNow introduced updates in 2023 aimed at improving security, these updates did not fully protect KBs.
Aaron Costello from AppOmni discovered these issues. His team found that many KBs use an outdated permission system called “User Criteria.” The security updates focused on Access Control Lists (ACLs), but these do not apply to KBs. As a result, many KBs are still at risk.
The Nature of the Attack
Malicious actors can easily exploit this vulnerability. They use tools like Burp Suite to send lots of requests to the vulnerable ServiceNow instances. The KB article IDs follow a simple pattern, making it easy to guess. For instance, a cybercriminal can start at KB0000001 and keep trying the next numbers until they access an exposed article.
This technique is called brute-forcing. It allows an attacker to find and retrieve sensitive articles without any authentication or permission.
What Can Companies Do?
Organizations need to take action now. They must block unauthorized access to their Knowledge Bases. Here are the steps they can implement:
- Set User Criteria: Admins should set the correct user permissions for their KB articles. They need to ensure that only authorized users can read the content.
- Turn Off Public Access: If a KB does not need public access, organizations should turn it off. This reduces the risk of exposing sensitive information.
- Use the Right Security Settings: ServiceNow provides several security settings that can help. Admins should enable these options:
- glide.knowman.block_access_with_no_user_criteria (True): This blocks access to users if no permission is set.
- glide.knowman.apply_article_read_criteria (True): This makes sure users need explicit permission to read each article.
- glide.knowman.show_unpublished (False): This keeps unpublished articles hidden from users.
- Activate Default Rules: Companies should use ServiceNow’s built-in rules. These rules automatically add ‘Guest Users’ to the “Cannot Read” list for new KB articles. This means that guests cannot access any new content unless explicitly given permission.
Conclusion
The potential for leaks through misconfigured ServiceNow instances is alarming. Over 1,000 KB articles expose sensitive information. Companies must act quickly to fix their configurations and protect data. With proper access controls and security settings, organizations can reduce the risk of future leaks. Secure practices will keep sensitive knowledge safe and maintain trust with customers and employees. Keeping data secure is every organization’s responsibility.
