ServiceNow vulnerability alert: Hackers are actively exploiting year-old flaws (CVE-2024-4879, CVE-2024-5217, CVE-2024-5178) for database entry. Learn to defend your programs.
Safety researchers at risk intelligence agency GreyNoise have issued a warning concerning a big improve in malicious exercise focusing on three beforehand disclosed vulnerabilities inside ServiceNow- a cloud-based platform that helps organizations automate and handle their digital workflows.
These vulnerabilities, recognized as CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, had been initially revealed by Assetnote’s safety researcher Adam Kues in Could 2024 and subsequently patched by ServiceNow in July 2024.
Regardless of the supply of patches, GreyNoise has noticed a “resurgence of in-the-wild exercise” geared toward exploiting these flaws. This surge in assault makes an attempt has seen a big variety of distinctive IP addresses concerned, with exercise detected inside the final 24 hours. Particularly, 36 risk IPs focused CVE-2024-5178, whereas 48 risk IPs every focused CVE-2024-4879 and CVE-2024-5217, in keeping with GreyNoise’s blog post.
Geographically, nearly all of noticed malicious exercise, exceeding 70% of periods prior to now week, has been directed at programs situated in Israel. Nevertheless, focused programs have additionally been detected in Lithuania, Japan, and Germany, with solely Israel and Lithuania experiencing exercise inside the newest 24-hour interval. This geographical focus suggests the opportunity of a focused marketing campaign.
CVE-2024-4879 is a template injection vulnerability. To your data, template injection vulnerabilities happen when user-supplied enter is inserted right into a template engine with out correct sanitization. Within the context of ServiceNow, this might permit attackers to inject malicious code into templates utilized by the platform. Profitable exploitation might result in distant code execution, that means attackers might acquire management of the server internet hosting the ServiceNow occasion.
CVE-2024-5217 and CVE-2024-5178 each contain enter validation errors, which may allow attackers to govern knowledge and bypass safety controls. Enter validation vulnerabilities come up when purposes fail to correctly validate user-supplied enter.
The vulnerabilities are notably regarding as a result of they are often chained collectively, as initially famous by Assetnote and reaffirmed by GreyNoise, to achieve “full database entry” to affected ServiceNow cases. This poses a considerable danger to organizations that depend on ServiceNow to handle delicate knowledge, together with worker data and HR data.
ServiceNow’s spokesperson Erica Faltous said that they turned conscious of those vulnerabilities practically a 12 months in the past and haven’t noticed any buyer influence from a coordinated assault marketing campaign thus far. Nevertheless, the risk can’t be ignored. Due to this fact, GreyNoise recommends that organizations utilizing ServiceNow take instant motion to mitigate the danger. This consists of making use of the newest safety patches, limiting entry to administration interfaces, and monitoring suspicious exercise.
Aaron Costello, chief of SaaS safety analysis at AppOmni, emphasised that the vulnerability was extreme as a result of it allowed unauthenticated entry to full databases. On-premise ServiceNow programs that didn’t replace safety patches had been in danger, not like cloud-hosted variations the place the seller handles updates. Implementing IP handle entry controls might have prevented exploitation. Costello pressured the significance of maintaining with safety patches, particularly for on-premise SaaS software program.
