Hackers have been seen linking multiple ServiceNow vulnerabilities to target companies and organizations, and steal user login credentials.
Cybersecurity researchers from Resecurity spotted an input validation vulnerability, which allowed threat actors to run remote code execution (RCE) attacks on multiple versions of the Now Platform. The vulnerability is now tracked as CVE-2024-4879, and carries a severity score of 9.3.
Soon after, a team of researchers from Assetnote found two more flaws, tracked as CVE-2024-5178, and CVE-2024-5217, and explained how they might be leveraged in attacks, BleepingComputer reported. Soon enough, the attacks started happening. Resecurity says that after a week of monitoring the flaw, it spotted multiple victims, including government agencies, data centers, software development companies, and more.
Stealing login credentials
The attackers would inject a payload which checks for a specific result in the server response. If it gets the appropriate one, it deploys a second-stage payload that checks the contents of the database. The last step is to dump user lists and account credentials. While most of the time the credentials are hashed, there are some examples where the credentials were dumped in plaintext. That can lead to account compromise which, in turn, can carry devastating consequences, such as ransomware attacks.
ServiceNow is a cloud-based business solution for digital workflow management. It has almost 300,000 internet-exposed instances, making it quite a popular solution, BleepingComputer claims. Some of its clients include Coca-Cola (uses it for streamlining IT service management), Dell (IT service automation and management), Deloitte (IT service automation and optimization), and the State of California ( managing state-wide IT services and operations).
The fix for the vulnerabilities was released on July 10 2024, however at press time, it would seem that many organizations still haven’t applied it. Users are advised to install the fix immediately and make sure they do it on all instances.
More from TechRadar Pro
Services Marketplace – Listings, Bookings & Reviews