Yes, Indecium is poised to assist you with the solutions provided by our partner AppOmni. The first step in this assistance is to perform a SaaS Security Evaluation right away.
What is the ServiceNow Access Control List (ACL) misconfiguration?
As part of the AO Labs team’s ongoing security research into the ServiceNow platform, AppOmni discovered external interfaces exposed to the public that may be utilized by a malicious actor to extract data from records. AppOmni’s analysis of ServiceNow instances showed that nearly 70% of tested instances are vulnerable to this misconfiguration, which could allow an unauthenticated user to extract sensitive data, including Personal Identifiable Information (PII).
How does the ServiceNow ACL misconfiguration happen?
There are many legitimate reasons why a company may use their SaaS platforms as a delivery vehicle for public content such as forums, online shops, customer support sites, and knowledge bases. SaaS platforms like ServiceNow are complex and highly configurable. Along with this incredible flexibility comes the ability to inadvertently expose data that isn’t intended to be shared. That makes it common for organizations to have system configurations that don’t match their business intent, such as over provisioning Guest users in this ServiceNow ACL misconfiguration. Customers are responsible for configuring their SaaS platforms and ACLs are commonly misconfigured.
How can I check if my ServiceNow instance has this ACL misconfiguration?
AppOmni, an Indecium Partner, has released a web application to evaluate ServiceNow instances for public data exposure through the ACL misconfiguration. You can request a SaaS Security Analyzer evaluation for your ServiceNow instance.
What type of information is requested in the evaluation?
The types of information requested are high confidence indicators of Personally Identifiable Information (PII), such as First Name, Last Name, email address, etc. but our evaluation for you will not receive the actual data. No data is collected or released in our evaluation with the SaaS Security Analyzer.
Why does this involve only a limited subset of possible data exposures?
The SaaS Security Analyzer is evaluating only one table out of the thousands commonly used in ServiceNow. This table, along with many others, contains Personally Identifiable Information (PII). The exposure of this data is not intentional and can have negative ramifications for both the organization and the individuals whose data is exposed. That’s one of the reasons our partners AO Labs conducts research like this: to educate organizations about potential misconfigurations and other security issues so they can take action. The SaaS Security Analyzer does not evaluate a complete ServiceNow instance — a more comprehensive evaluation is required to determine if data is at risk.
My portal uses 2FA so how would Indecium or the partner be able to access this information to evaluate?
Authentication isn’t a consideration when talking about this particular exposed external interface and misconfiguration. Since the Guest user does not need to authenticate to the ServiceNow instance, 2FA doesn’t provide any additional protection. With this misconfiguration, the external interface exposes data to anonymous users/the Internet — not to authenticated users.
My data is encrypted at rest. Would it still be exposed?
Yes. Vendor provided disk-level or database-level encryption does not prevent this category of data exposure. If either Edge or Column-Level Encryption (CLE) have been implemented for this particular resource, unauthenticated users will not be able to access data within restricted fields unless their role has been explicitly associated with the field’s encryption context.
What can I do to remediate the ServiceNow ACL misconfiguration?
Be aware: because there are valid reasons for the ACL configuration, disabling the setting as a “fix” is not recommended, as it could break functionality. AO Labs researchers have developed recommended steps ServiceNow administrators can take to remediate this ACL misconfiguration if it does not match their business intent.
Administrators should perform the following checks on a regular basis to ensure that access to sensitive information is not being provisioned to external unauthenticated users.
- Review ACLs that are absent of conditional and script based access evaluation, which have either no role, or the public role, assigned to them.
- Review User Criteria (UC) and the resources to which those criteria are granting access. In particular, focus on any UC in which the ‘Guest’ user is assigned to or contains the ‘public’ role. This includes the ‘Any User’ and ‘Guest’ built-in UCs.
- Review resources that can be directly assigned the ‘public’ role to grant access, or indirectly made accessible to the public through another mechanism (such as publishing a report).
- Review System Properties that may dictate access to records through a provided role or list of roles.