Misconfigured ServiceNow instances leak sensitive Knowledge Base data

September 18, 2024
ServiceNow Knowledge Base Misconfigurations Sensitive Data

Sensitive Knowledge Base (KB) articles from over 1,000 misconfigured ServiceNow instances have been exposed, revealing critical company information. Misconfigurations and improper access controls have made sensitive data, including personally identifiable information (PII), internal system details, user credentials, and live production access tokens, accessible to external users and potential threat actors.

Despite ServiceNow’s attempts in 2023 to improve security with Access Control Lists (ACLs), this problem still exists. Knowledge bases, which mostly rely on the “User Criteria” authorisation system, were not covered by these upgrades despite the fact that they were intended to improve access control mechanisms. Due to insufficient setups, this exposes a lot of businesses’ data.

Internal guidelines, frequently asked questions (FAQs), and processes intended solely for authorised staff are housed in ServiceNow’s Knowledge Base. However, these items are now accidentally available to the public due to configuration mistakes. The 2023 ACL security upgrades did not apply to public-facing widgets, which some organisations utilise, leaving the possibility of unauthorised access open.

 

Attackers could use tools like Burp Suite to brute-force Knowledge Base article numbers.

 

Security researchers have discovered that threat actors might use programs like Burp Suite to brute-force Knowledge Base article numbers to take advantage of these misconfigurations.

Because KB articles have an incremental format (e.g., KBXXXXXX), attackers can easily automate attempts to retrieve sensitive content. Researchers showed how an attacker might use brute-force techniques to gradually query KB articles, obtain tokens, and access public widgets without authentication.

Security experts advise managers to set up User Criteria correctly, blocking unauthorised users from accessing critical Knowledge Base items, in order to reduce these dangers. Moreover, they advise turning off public access to Knowledge Bases (KBs) while not in use to reduce vulnerability to outside threats.

To better secure KB articles, a number of particular security parameters can be used. For instance, when no user criteria are specified, access is automatically prohibited when glide.knowman.block_access_with_no_user_criteria is set to “True,” whereas glide.knowman.apply_article_read_criteria requires specific “Can Read” rights.

Additionally, it is advised to employ out-of-the-box restrictions to force administrators to expressly give access where necessary, preventing guest users from viewing newly published KB articles by default. After being made aware of the problems, ServiceNow is proactively collaborating with clients to fix the misconfigurations.

The business has taken steps to assist clients in modifying their Knowledge Base setups and guaranteeing the protection of sensitive data, effective September 4, 2024.

About the author

Leave a Reply