Service Now RCE - The Three Keys to ServiceNow's Data Vault
ServiceNow is an AI driven cloud based platform that assists workflow management across multiple units such as operations, HR and asset management. Recently, a series of critical vulnerabilities (listed below) were announced. These vulnerabilities enable unauthenticated malicious actors to remotely execute arbitrary code.
The vulnerabilities affect the ServiceNow’s Now Platform Washington DC, Vancouver, and Utah releases. The vulnerabilities have been addressed in the June 2024 patch cycle.
In order to understand these vulnerabilities, let's familiarize ourselves with some background concepts. These vulnerabilities fall into the category of Server Side Template Injection. This occurs when an actor supplies an input and it has not been properly validated. The user supplied input is unsafely embedded into a server side template, often causing arbitrary code execution within the context of the server. Such exploits can result in data theft and denial of service attacks. There are several methods to remediate such attacks, the most common being stripping of special characters such as <, >, {, }.
ServiceNow uses Apache Jelly as the template engine to render the user input. Apache Jelly follows double evaluation wherein variables tags (g: and j:) within the template are rendered before tags (g2: and j2:). Due to this evaluation, the input rendered by tags g and j could cause template injection when the second round of rendering occurs.
The first step of the exploitation is to bypass HTML sanitation of user input. Vulnerable versions of ServiceNow allow variable jvar_page_title to include <style> tags in a manner that the enclosed payload is not sanitized and is evaluated as XML.
Once XML content evaluation is possible, changing the context tag (xmlns) of an Apache Template to switch from ServiceNow allows the actor to execute arbitrary code. Although strict rules existed preventing such transfers, replacing “ with ‘ when mentioning contexts bypassed the check. This vulnerability allowing an actor to execute arbitrary code were assigned numbers CVE-2024-4879 and CVE-2024-5217.
In addition to Remote Code Execution, vulnerable versions of ServiceNow are also susceptible to sensitive file reads. ServiceNow employs access control policies including the blacklisting of several directory to prevent sensitive file reads paths. But these access control mechanisms can be bypassed by adding a .. to the file path allowing the actor to read sensitive files. For example, this vulnerability can be used to read the database credentials file. This vulnerability was assigned the number CVE-2024-5178.
By chaining the aforementioned vulnerabilities, malicious actors can achieve remote code execution in the server’s context. ServiceNow has updated all their hosted as well as self hosted instances patching the issue. We highly recommend upgrading your ServiceNow instances to mitigate the risk.
At Traceable, we are continuously monitoring for the latest CVEs and threats to ensure that our customers are protected against those vulnerabilities or attacks. When the vulnerability was announced, we rapidly developed and deployed appropriate protection mechanisms. As of 1st Aug, 2024, all Traceable customers are protected against these vulnerabilities. We continue to look for blocked exploitation attempts via our Omnitrace Engine, and continue to reach out to our customers who have been targeted.