Patch Now: ServiceNow Critical RCE Bugs Under Active Exploit

A threat actor on BreachForums is claiming to have harvested email addresses and associated hashes from more than 105 ServiceNow databases after exploiting two recently disclosed critical vulnerabilities in the cloud-based IT service management platform.

Researchers from Resecurity's HUNTER threat team warned late last week that the two ServiceNow vulnerabilities (CVE-2024-4879, CVSS score of 9.3 out of 10; and CVE-2024-5217, CVSS score of 9.2) were being actively exploited in the wild, and said they saw the BreachForums member putting the data up for sale at $5,000 for the whole tranche.

Meanwhile, the US Cybersecurity and Infrastructure Security Agency (CISA) today added the two bugs to its known exploited vulnerabilities catalog amid multiple reports of other attempts to exploit the flaws in recent days. Federal civilian executive branch agencies have until Aug. 19 to apply ServiceNow's patches, or to discontinue use of the platform until they can remediate the issue.

Resecurity researchers said that the attacks on ServiceNow should be expected. "There has been identified chatter on multiple underground forums on the Dark Web highlighting threat actors seeking compromised access to IT service desks, corporate portals, and other enterprise systems that typically provide remote access to employees and contractors," they wrote. "These systems could be used for pre-positioning and attack planning, as well as reconnaissance."

An Unauthenticated RCE Chain Allows Total Access

CVE-2024-4879 is an input validation vulnerability in ServiceNow's "Vancouver" and "Washington DC" versions of the platform. It enables an unauthenticated remote attacker to execute arbitrary code. The vendor has assessed the vulnerability as easy to exploit and requiring no user interaction or special conditions. CVE-2024-5217 is a similarly critical input validation flaw in the Vancouver, Washington DC and earlier editions of Now that also allows for remote code execution (RCE) and is easy to exploit.

ServiceNow issued hotfixes for both flaws on July 10 along with a fix for a third — less severe — flaw in the same software (CVE-2024-5178). AssetNote discovered the three vulnerabilities and reported them to ServiceNow in May, describing the issues as a "chain of vulnerabilities that allows full database access and full access to any servers," that organizations might be using to access cloud-hosted instances.

A public proof-of-concept exploit (PoC) was quickly published, paving the way for widespread attacks in the wild.

"On May 14, 2024, ServiceNow learned of a vulnerability on the Now Platform impacting instances running on the Vancouver and Washington, D.C. family releases," a spokeswoman said in an emailed comment. "That day, we deployed an update and have since issued a series of patches designed to address the issue" she said.
Based on ServiceNow's investigation to date the company has not observed evidence that the activity that Resecurity said it has observed is related to instances that ServiceNow hosts, the spokeswoman said. "We have encouraged our self-hosted and ServiceNow-hosted customers to apply relevant patches if they have not already done so. We will also continue to work directly with customers who need assistance in applying those patches. 

In-the-Wild Attacks Start to Escalate

Resecurity last week reported observing multiple attackers probing ServiceNow instances to check if they were vulnerable. "Initially, threat actors were injecting a payload and checking for a specific multiplication result in the response," Resecurity said. Next the attackers injected a payload that inspected the contents of the database and extracted it. "The final stage involved dumping user lists and collecting associated meta-data from compromised instances."  

The attacks so far have targeted Resecurity's clients (including an energy company, a data-center organization, a Middle Eastern government agency, and a software developer), critical infrastructure, foreign governments, as well as financial institutions, the Resecurity researchers noted in emailed comments to Dark Reading. Based on feedback from multiple victims, some of them appear to have been using on-premises or self-hosted versions of ServiceNow, or for some reason had opted out of receiving automatic updates from the company, the researchers said.

"Notably, some of them were not aware of the released patch, and in some cases used outdated or poorly maintained instances by their developers and software engineers," the company noted.

Imperva on July 23 also said it had observed attempts to exploit the vulnerabilities targeting organizations in the financial sector and multiple other industries. At the time, Imperva reported observing exploitation attempts across as any as 6,000 sites.

"Attackers are primarily leveraging automated tools to target login pages," Imperva said. "We're seeing two common payloads across attacks: one to test if remote code execution (RCE) is possible, and another command to show database users and passwords."

Estimates on the number of ServiceNow instances that are visible to Internet scans — and are hence likely targets for exploitation attempts — vary from more than 297,700 at the high-end to a less than 10,000 at the other end of the scale.

"Unfortunately, finding and exploiting these vulnerable systems isn't particularly difficult for motivated attackers," says Omri Weinberg, co-founder and CRO at DoControl.

Self-Hosted MID Servers Could Become Targets

ServiceNow is a widely used platform, and its instances often have public-facing components which threat actors can relatively easily find using automated scanning tools, Weinberg says. Once an adversary is able to find a vulnerable instance, "the exploit chain doesn't require a high level of technical sophistication, making it accessible to a broad range of attackers."

Weinberg recommends that organizations which cannot patch immediately focus on basic security hygiene like tightening access controls, increasing monitoring, and if possible, to restrict access to only trusted IP ranges.  

Naomi Buckwalter, director of product security at Contrast Security, says organizations using self-hosted proxy servers — called MID servers in ServiceNow speak — to connect internal systems to ServiceNow's cloud-based platform should pay special attention to the new flaws.

"While the MID server is not directly exposed to the Internet, attackers who manage to breach the internal network could potentially exploit these flaws to access sensitive data and disrupt critical business operations running on the Now Platform," Buckwalter says. "In a worst-case scenario, attackers could exfiltrate data, manipulate files, and gain unauthorized access to confidential information," she says. "ServiceNow has released patches to address these vulnerabilities, but organizations using self-hosted MID servers may still be at risk if they haven't applied the updates."