Thousands of ServiceNow KB Instances Expose Sensitive Corporate Data

One-thousand instances of enterprise knowledge bases (KBs) hosted by ServiceNow were found to be exposing sensitive corporate data over the past year, despite improvements in data protection that the company put in place last year to avoid such security issues.

Based on security research conducted by software-as-a-service (SaaS) security firm AppOmni, nearly 45% of total enterprise instances of ServiceNow KBs leak sensitive data, including personally identifiable information (PII), internal system details, and active credentials/tokens to live production systems.

AppOmni chief of SaaS security research Aaron Costello in an analysis published on Sept. 17 attributed the security holes to "outdated configurations and misconfigured access controls in KBs," likely indicating "a systematic misunderstanding of KB access controls or possibly the accidental replication of at least one instance's poor controls to another through cloning," he wrote.

In fact, in many of the cases, organizations with more than one instance of ServiceNow had consistently misconfigured KB access controls across each one, the researchers found.

ServiceNow is a cloud-based IT service management platform. Last year, the company introduced security updates to its platform to prevent unauthenticated users from getting access to data, including default enhancements to access control lists (ACLs). However, the improvements didn't seem to have a great impact on its KBs, a "treasure trove of sensitive internal data" not meant to be seen by those outside of the organization, Costello noted.

Related:'CloudImposer' Flaw in Google Cloud Affected Millions of Servers

Why Leaks Despite Security Improvements?

AppOmni revealed its findings to ServiceNow, which worked with its customers to evaluate the instances of customer data leaks and "appropriately configure the accessibility of KB articles," ServiceNow CISO Ben De Bont said in a statement published with AppOmni's analysis.

"We are committed to protecting our customers' data, and security researchers are important partners in our ongoing efforts to improve the security of our products," De Bont said. He thanked Costello and AppOmni not only for identifying the security gap, but also delaying publication of their findings until ServiceNow could coordinate mitigations with customers.

As mentioned, ServiceNow made two key changes to its data protections last year in an effort to improve the security of data hosted on its platform. One was to add properties to prevent select widgets from granting unauthenticated users access to data unless explicitly set to do so, while the second was a new feature called Security Attributes, which is applied to most ACLs by default. It includes specific verifications to ensure unauthenticated users are not allowed access to data.

Related:Fortinet Confirms Customer Data Breach via Third Party

These updates did not protect data in KBs for two reasons, Costello noted. One is that public widgets that can be used to access the content of KB articles did not receive the update, he wrote. The second reason is that the majority of KBs are secured using a feature called User Criteria as opposed to ACLs, "rendering the addition of the 'UserIsAuthenticated' Security Attribute redundant since it is an ACL-exclusive feature," Costello noted.

Though this may explain the issues found with ServiceNow's KB exposure, it doesn't necessarily explain why organizations in general struggle to lock down KBs. What Costello found in his research is that most enterprise instances — or 60% of the cases he examined — retain an insecure KB security property to "allow public access by default," Costello said.

Moreover, many administrators are unaware that there are various criteria that grant access to unauthenticated users in KB configurations, allowing "external users to slip through the cracks and be granted access," Costello wrote.

Related:Cloud-Native Network Security Up 17%, Hardware Down 2%

How to Mitigate KB Data Exposure

Indeed, ServiceNow isn't the only hosting provider to have issues with data leakage from KBs, notes Roger Grimes, data-driven defense evangelist at security awareness training firm KnowBe4. Microsoft, too, experienced a similar issue with leaking client data, "including complete memory dumps, exposed in help desk-type data," he says.

However, pointing fingers at SaaS providers when security issues like KB data leaks arise isn't going to help combat the problem, and organizations also need to take responsibility for the security of their own KBs.

"The reality is that we are all learning how to best secure our data in this world of hyper-connectivity and always online accessible content," he says. "Instead of blaming the vendor, let's use this additional instance of the type of problem to examine our own policies and processes."

Costello suggested ways organizations can do that, including running regular diagnostics on KB access controls to keep security configurations updated, and using business rules to deny unauthenticated access to KB content by default.

They also should be aware of the relevant security properties of KBs, which act as important security guardrails affecting how access control is dictated when both internal and external users attempt to access data, he said.

Keeping in contact with ServiceNow (as well as other SaaS providers that are responsible for hosting sensitive corporate data), and ensuring security updates and efforts are up-to-date can help prevent data exposure, Costello added.