22 February 2021 at 13:21 UTC
Up to date: 23 February 2021 at 18:37 UTC
Vulnerability that would result in full atmosphere compromise has now been patched
UPDATED Greater than 600 enterprises, universities, and authorities businesses could have inadvertently uncovered their ServiceNow login credentials – many with administrator privileges – because of a vulnerability within the IT help platform.
Now patched, the safety flaw centered on how the platform’s ‘Assist the Assist Desk’ function requested info from endpoints and left unencrypted passwords publicly viewable on all ServiceNow situations that used the function.
‘Whole atmosphere compromise’
Gaining administrative entry to a ServiceNow cloud occasion would give an attacker free rein over buyer help tickets, worker information, inner documentation, inner IT tickets, inner HR tickets, and different doubtlessly delicate buyer info.
“Different ServiceNow options may even present command execution on servers and workstations enrolled in numerous ServiceNow integrations,” stated safety researcher Jordan Potti in a blog post documenting his discovery.
“Given the quantity of knowledge and entry ServiceNow has in lots of environments, this may lead on to complete atmosphere compromise.”
Hinder the Assist Desk
ServiceNow, a cloud computing platform utilized by enterprises to handle digital workflows, has more than 17,000 customers.
Enterprise customers can configure the Assist the Assist Desk function to gather info, by way of a WMI script, from the endpoints of staff and prospects.
The file was readily accessible at https://<customername>.servicenow.com/HelpTheHelpDesk.jsdbx, and the credentials have been seen “on the prime of the script for anybody’s viewing pleasure”.
Worse nonetheless, the base64-encoded passwords weren’t encrypted, even when the prefix misleadingly indicated in any other case.
Potti added: “How this hadn’t been discovered earlier than is fascinating.”
Amplifying the chance
Many ServiceNow customers exacerbated the safety threat through the use of their administrator credentials when utilizing SOAP [Simple Object Access Protocol] authentication for working the WMI script, overlooking the official documentation that outlines a process for creating an unprivileged function for the job.
Consequently, the researcher found quite a few administrator-level usernames comparable to , , and among the many uncovered credentials.
“In multiple case, credentials offered full admin entry to ServiceNow situations that have been utilized by world firms with bug bounty packages,” famous Potti.
Easy to GET
The researcher stated easy requests have been enough to find out when a number was exposing credentials.
“Utilizing some open supply reconnaissance, an inventory of ServiceNow subdomains was collected and every one was issued a request for the HelpTheHelpDesk script,” he continued.
“If the and values have been crammed, the request was logged.”
The researcher unearthed the issue on August 15, 2020, and alerted ServiceNow on August 20.
The builders launched a patch on October 8 and the vulnerability was publicly disclosed yesterday (February 21).
A ServiceNow spokesperson advised The Every day Swig: “ServiceNow is dedicated to defending its prospects and, like many software program firms, runs a program to catch and patch bugs earlier than they’re exploited. On this case, as quickly because the bug was recognized by a safety researcher a patch was created to right it.”
The Every day Swig has additionally contacted Jordan Potti for additional remark. We’ll replace the story if and after we obtain a reply.
This text was up to date on February 23 with a press release from ServiceNow.