More than 1,000 instances of ServiceNow knowledge bases (KBs) representing 45% of instances tested by AppOmni were found to have a misconfiguration that unintentionally exposed data from the KBs.
Companies use ServiceNow KBs to store and share information in the form of articles that can help users find answers to questions, troubleshoot issues, and resolve IT service tasks.
A Sept. 17 blog post by AppOmni researchers explained that this data can often be sensitive in nature. Personally identifiable information (PII), internal system details, and active credentials/tokens to live production systems were found in the case AppOmni reported.
“In many of these cases, it was observed that organizations that have more than one instance of ServiceNow had consistently misconfigured KB access controls across each one,” wrote the AppOmni researchers. “This could indicate a systematic misunderstanding of KB access controls or possibly the accidental replication of at least one instance’s poor controls to another through cloning.”
Dan Meged, senior research leader at Adaptive Shield, added that this misconfiguration exposed seemingly secured KB articles through a ServiceNow tool called widgets. In another Sept. 17 blog on the ServiceNow KB topic, Adaptive Shield researchers said widgets let hackers bypass the security controls put in place at the KB and page level, and directly access the content.
Meged said attackers could easily do this at scale, exposing every article within KB. As part of the shared responsibility model, it’s up to organizations to prevent these leaks, said Meged. This past May, Meged said the Adaptive Shield research team he heads up discovered the misconfiguration in about 30% of the thousands of ServiceNow accounts the team reviewed and responsibly disclosed this exposure.
“To remediate this issue, ServiceNow admins must set their ‘Can Read’ user criteria to non-public and add ‘guest user’ and ‘any user’ to ‘Cannot Read’ to prevent access to this content through a widget,” said Meged. “In addition, they must set all public pages to private. This is a serious misconfiguration that underscores the need for robust access controls and continuous monitoring."
When asked for a response to the AppOmni and Adaptive Shield blogs, a spokesperson for ServiceNow said the company is aware of recent publications describing the potential for unintended access if KB articles are not configured to meet business needs. The company said several months ago, they contacted customers with detailed guidance on how to address this issue. In addition, to help protect customers whose KBs may still permit greater access than desired, ServiceNow said on Sept. 4 that it began to take proactive action designed to address customers’ KB configurations as appropriate.
“We proactively work with customers on the ongoing safety of their security configurations to ensure they are properly structured and aligned to their intended purpose,” said ServiceNow. “We make these protocols extensible so our customers can configure them based on their unique security needs.”
Misconfiguration exposes a critical SaaS issue
Guy Rosenthal, vice president of product at SaaS vendor DoControl, pointed out that this ServiceNow Knowledge Base exposure highlights a critical issue in SaaS security that we're all seeing: the challenge of maintaining proper configurations across complex, ever-evolving platforms.
Rosenthal said the technical issues here are multifaceted: First, many teams deal with legacy configurations. They run older versions of ServiceNow where KBs are set to public by default. It's a classic case of "set it and forget it" in which teams might not realize they need to revisit these settings. Second, there's the complexity of access controls, said Rosenthal. ServiceNow's “User Criteria” feature is powerful, but it's also easy to misconfigure.
“A small mistake in these rules can inadvertently grant access to unauthenticated users,” said Rosenthal. “It's like leaving your front door unlocked because you thought you turned the key, but actually didn't.”
Chen Burshan, chief executive officer of Skyhawk Security, added that there are two main issues uncovered by this research. One is related to application permissions settings to prevent unauthorized access to data. Burshan said ServiceNow issued an access control list (ACL) mechanism and configuration instructions in 2023 that many have found hard to follow, leaving customers exposed still.
On top of that, Burshan said the KB’s identifier is not a random UUID, it’s a sequential identifier with format KBXXXXXXX starting at KB0000001 and going up incrementally, thus allowing a bad actor to simply try to access the articles one by one to find one that’s unintentionally exposed.
Stephen Kowski, Field CTO at SlashNext Email Security, pointed out that despite the patch ServiceNow added to its ACLs in 2023, many KBs also remain vulnerable because of outdated configurations and misconfigured access controls.
“To mitigate these risks, organizations should prioritize regular diagnostics on KB access controls and implement business rules to deny unauthenticated access to KB content by default,” said Kowski. “By leveraging advanced security controls and automation, security teams can better protect their SaaS application environments and prevent data exposure.”
