ServiceNow vulnerability alert: Hackers are actively exploiting year-old flaws (CVE-2024-4879, CVE-2024-5217, CVE-2024-5178) for database access. Learn how to protect your systems.
Security researchers at threat intelligence firm GreyNoise have issued a warning regarding a significant increase in malicious activity targeting three previously disclosed vulnerabilities within ServiceNow- a cloud-based platform that helps organizations automate and manage their digital workflows.
These vulnerabilities, identified as CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, were initially revealed by Assetnote’s security researcher Adam Kues on 14 May 2024 and promptly patched by ServiceNow the same day.
Despite the availability of patches, GreyNoise has observed a “resurgence of in-the-wild activity” aimed at exploiting these flaws. This surge in attack attempts has seen a significant number of unique IP addresses involved, with activity detected within the last 24 hours. Specifically, 36 threat IPs targeted CVE-2024-5178, while 48 threat IPs each targeted CVE-2024-4879 and CVE-2024-5217, according to GreyNoise’s blog post.
Geographically, the majority of observed malicious activity, exceeding 70% of sessions in the past week, has been directed at systems located in Israel. However, targeted systems have also been detected in Lithuania, Japan, and Germany, with only Israel and Lithuania experiencing activity within the most recent 24-hour period. This geographical focus suggests the possibility of a targeted campaign.
CVE-2024-4879 is a template injection vulnerability. For your information, template injection vulnerabilities occur when user-supplied input is inserted into a template engine without proper sanitization. In the context of ServiceNow, this could allow attackers to inject malicious code into templates used by the platform. Successful exploitation could lead to remote code execution, meaning attackers could gain control of the server hosting the ServiceNow instance.
CVE-2024-5217 and CVE-2024-5178 both involve input validation errors, which can enable attackers to manipulate data and bypass security controls. Input validation vulnerabilities arise when applications fail to properly validate user-supplied input.
The vulnerabilities are particularly concerning because they can be chained together, as initially noted by Assetnote and reaffirmed by GreyNoise, to gain “full database access” to affected ServiceNow instances. This poses a substantial risk to organizations that rely on ServiceNow to manage sensitive data, including employee information and HR records.
However, ServiceNow’s spokesperson shared the company’s statement with Hackread.com, explaining that they have not observed any customer impact from a coordinated attack campaign to date.
“Nearly a year ago, ServiceNow learned of a vulnerability on the Now Platform impacting instances running on the Vancouver and Washington, D.C. family releases. Immediately—starting, the day we learned of it—we deployed a series of updates and
fully addressed the issue.”“To-date, our investigations have not observed any customer impact from any attacks. We will continue to monitor the situation to best support our customers.”
ServiceNow
Nevertheless, GreyNoise recommends that organizations using ServiceNow take immediate action to mitigate the risk. This includes applying the latest security patches, restricting access to management interfaces, and monitoring suspicious activity.
Aaron Costello, chief of SaaS security research at AppOmni, emphasized that the vulnerability was severe because it allowed unauthenticated access to full databases. On-premise ServiceNow systems that didn’t update security patches were at risk, unlike cloud-hosted versions where the vendor handles updates. Implementing IP address access controls could have prevented exploitation. Costello stressed the importance of keeping up with security patches, especially for on-premise SaaS software.
