Hackers are linking multiple ServiceNow vulnerabilities to target companies and organizations, stealing user credentials.
Cybersecurity researchers at Resecurity discovered an input validation vulnerability that could allow threat actors to conduct remote code execution (RCE) attacks on multiple versions of the Now Platform. The vulnerability is now tracked as CVE-2024-4879 and has a severity score of 9.3.
Shortly after, a team of researchers at Assetnote discovered two more flaws, tracked as CVE-2024-5178 and CVE-2024-5217, and explained how they could be used in attacks. BleepingComputer reported. Soon, the attacks began. Resecurity says that after a week of monitoring the flaw, it has discovered multiple victims, including government agencies, data centers, software development companies and more.
Stealing login details
The attackers inject a payload that checks for a specific result in the server response. If it gets it right, it deploys a second-stage payload that checks the contents of the database. The final step is to dump lists of users and account credentials. While the credentials are usually hashed, there are some examples where the credentials were dumped in plaintext. This can lead to account compromise, which in turn can have devastating consequences, such as ransomware attacks.
ServiceNow is a cloud-based enterprise solution for digital workflow management. It has nearly 300,000 internet-exposed instances, making it quite a popular solution, claims BleepingComputer. Some of its customers include Coca-Cola (uses it to streamline IT service management), Dell (IT service automation and management), Deloitte (IT service automation and optimization), and the State of California (statewide IT service and operations management).
The fix for the vulnerabilities was released on July 10, 2024, but at the time of writing it appears that many organizations have not yet applied it. Users are advised to install the fix immediately and ensure that they do so on all instances.