UPDATE: A ServiceNow statement shared with TechRadar Pro noted, "On May 14, 2024, ServiceNow learned of a vulnerability on the Now Platform impacting instances running on the Vancouver and Washington, D.C. family releases. That day, we deployed an update and have since issued a series of patches designed to address the issue".
The company added that based on its investigation to date, it has not observed evidence that the activity mentioned below is related to instances that ServiceNow hosts.
"We have encouraged our self-hosted and ServiceNow-hosted customers to apply relevant patches if they have not already done so. We will also continue to work directly with customers who need assistance in applying those patches," the statement added.
Hackers have been linking multiple ServiceNow vulnerabilities to target companies and organizations, and steal user login credentials, experts have said.
Cybersecurity researchers from Resecurity claimed to have spotted an input validation vulnerability, which allowed threat actors to run remote code execution (RCE) attacks on multiple versions of the Now Platform. The vulnerability is now tracked as CVE-2024-4879, and carries a severity score of 9.3.
Soon after, a team of researchers from Assetnote found two more flaws, tracked as CVE-2024-5178, and CVE-2024-5217, and explained how they might be leveraged in attacks.
Stealing login credentials
The attackers would inject a payload which checks for a specific result in the server response. If it gets the appropriate one, it deploys a second-stage payload that checks the contents of the database. The last step is to dump user lists and account credentials. While most of the time the credentials are hashed, there are some examples where the credentials were dumped in plaintext. That can lead to account compromise which, in turn, can carry devastating consequences, such as ransomware attacks.
ServiceNow is a cloud-based business solution for digital workflow management. It has almost 300,000 internet-exposed instances, making it quite a popular solution, BleepingComputer claims. Some of its clients include Coca-Cola (uses it for streamlining IT service management), Dell (IT service automation and management), Deloitte (IT service automation and optimization), and the State of California ( managing state-wide IT services and operations).
The fix for the vulnerabilities was released on July 10 2024, however at press time, it would seem that many organizations still haven’t applied it. Users are advised to install the fix immediately and make sure they do it on all instances.
Via BleepingComputer
More from TechRadar Pro
- This dangerous UEFI bootkit can hijack your Windows PC with ease
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now
