ServiceNow patched vulnerabilities in its software in May and July. All instances hosted by ServiceNow are patched. However, attackers are looking for victims with self-hosted unpatched instances in government organizations, data centers, energy providers and software development companies.
Because of their critical nature, security firms Resecurity and Assetnote have detailed the vulnerabilities. Essentially, they involve exploiting multiple vulnerabilities in ServiceNow to gain access to data. ServiceNow released patches earlier in May and July.
On July 10, the software vendor released a fix for vulnerability CVE-2024-4879. This was an input validation vulnerability, meaning unauthorized users could remotely execute code on different versions of the ServiceNow platform.
Assetnote described exactly one day later how CVE-2024-4879 can be used with two other vulnerabilities, CVE-2024-5178 and CVE-2024-5217. This theoretically allows hackers to gain full access to a database. ServiceNow told Techzine that all instances hosted by ServiceNow have been patched and that there are no indications that customers have fallen victim to this theoretical hack. However, it does urge customers who host instances themselves to patch as soon as possible.
Publicly available
What was notable was that within a short time, exploits and scanners for CVE-2024-4879 became available on GitHub. According to Resecurity, these are used to identify vulnerable instances. The exploits use a payload injection to detect a specific server response. A payload can then be delivered to check the database’s content. If successful, the hacker can obtain a user list and account information. Most cases involve hashed data, but there have been cases of plain text login credentials, according to the security companies.
ServiceNow has released fixes for all three vulnerabilities. Users are recommended to check that they are using the updated versions to avoid becoming victims.