ServiceNow admin credentials in hundreds of passwords exposed in cloud security breach

ServiceNow

Adam Bannister February 22, 2021, 13:21 UTC

Update time: February 23, 2021 18:37 UTC

Vulnerabilities that could damage the entire environment have now been patched

renew Due to vulnerabilities in the IT support platform, more than 600 companies, universities, and government agencies may have inadvertently exposed their ServiceNow login credentials (many of which have administrator rights).

Now patched, the security vulnerabilities focus on how the platform’s “help desk” function requests information from the endpoint and makes the unencrypted password publicly visible on all ServiceNow instances that use the function.

‘Entire environmental compromise’

Gaining administrative access to ServiceNow cloud instances will allow attackers to freely control customer support tickets, employee data, internal documents, internal IT tickets, internal HR tickets, and other potentially sensitive customer information.

“Other ServiceNow functions can even provide command execution on servers and workstations registered with various ServiceNow integrations,” said the security researcher Jordan Portie In a blog post documenting his discovery.

related ServiceDesk Plus vulnerability could give attackers full access to IT support systems

“Given the amount of information and access ServiceNow has in many environments, this may directly cause damage to the entire environment.”

Obstructing the service desk

ServiceNow is a cloud computing platform used by enterprises to manage digital workflows and has more than 17,000 customers.

Business users can configure the Help the Help Desk feature to collect information from employee and customer endpoints through WMI scripts.

However, according to Potti, “the requested credentials are stored in a common JavaScript file on all ServiceNow instances that use this feature.”

The file is available via https://.servicenow.com/HelpTheHelpDesk.jsdbx is easy to access, and the credentials are “at the top of the script for anyone to watch”.

To make matters worse, the base64-encoded password is not encrypted, even if the prefix is ​​misleading in other ways.

Potti added: “Why didn’t I find this interesting before.”

Magnify risk

Many ServiceNow users use their administrator credentials when using SOAP, exacerbating security risks [Simple Object Access Protocol] The authentication used to run WMI scripts ignores the official documentation that outlines the process of creating non-privileged roles for jobs.

Read more latest security breach news

As a result, the researchers found many administrator-level usernames in the exposed credentials, such as, and.

Potti points out: “In more than one case, credentials provide full administrator access to ServiceNow instances that are used by multinational companies with bug bounty programs.”

Easy to get

According to the researchers, a simple request is sufficient to determine when the host will disclose the credentials.

“Using some open source reconnaissance, a list of ServiceNow subdomains was collected, and each subdomain was issued a request for the HelpTheHelpDesk script,” he continued.

“If the sum is filled, the request will be recorded.”

Researchers discovered the problem on August 15, 2020, and notified ServiceNow on August 20.

The developer released a patch on October 8, and the vulnerability was publicly disclosed yesterday (February 21).

A ServiceNow spokesperson told Drink it every day: “ServiceNow is committed to protecting its customers and, like many software companies, runs a program to catch and patch vulnerabilities before they are exploited. In this case, once security researchers discover a vulnerability, they create a patch to correct it .”

Drink it every day Jordan Potti was also contacted for further comment. If we receive a response, we will update the story.

This article was updated on February 23 through a ServiceNow statement.

You might also like Dependency obfuscation attack installed via PyPi repository exposes flawed package installer behavior


#ServiceNow #admin #credentials #hundreds #passwords #exposed #cloud #security #breach

More from Source

Leave a Comment