Nearly 70 percent of instances of the software-as-a-service (SaaS) platform ServiceNow Customers aren’t locking down access correctly, leading to ~70 percent of ServiceNow implementations tested by AppOmni being potentially exposed to the public.
ServiceNow is a $4.5 billion company whose software helps enterprises with their digital workflows. According to a report published Wednesday by AppOmni, more than 20,000 companies use the platform.
The cause of all the exposure, the report stated, is “a combination of customer-managed ServiceNow ACL configurations and overprovisioning of permissions to guest users.” ACLs – access control lists – track permissions in an IT environment.
Exposed instances “may be utilized by a malicious actor to extract data from records,” Offensive Security Researcher Aaron Costello wrote in the report.
Human Error Leads to Data Exposure
Organizations typically use role-based access controls (RBAC) to determine who can access what resources within a system. Users can see and possibly interact with whatever is relevant to them and are barred from whatever isn’t.
For public-facing companies, the general public plays into the RBAC picture. “One important aspect of RBAC,” the report noted, “is the ability to allow public access to information within your ‘database,’ which could be a forum, online shop, customer support site, or knowledge base. The challenge is ensuring the right level of access when organizations update or customize SaaS applications or onboard new users.”
Thus, what researchers have discovered is not so much a flaw in ServiceNow as an oversight made by customers. “Misconfigurations are common across major SaaS platforms,” wrote the researchers, “due to the complexity that inevitably comes with high levels of SaaS functionality, flexibility, and extensibility. Misconfigurations can happen during the initial implementation phase of a SaaS platform, when users or settings change, or as part of the regular cadence of SaaS updates that can impact current configurations.”
The researchers found that nearly 70 percent of ServiceNow instances tested by AppOmni were misconfigured, introducing the possibility that unauthorized users could steal sensitive information from enterprises that may not even realize they’re vulnerable.
Why SaaS is So Often Insecure
Because SaaS platforms are so prevalent, and so interconnected with business processes – and with one another – they tend to be some of the most high-value and highly vulnerable software in the world. They “have vastly increased the attack surface,” Sounil Yu, CISO and head of research at JupiterOne, wrote for Threatpost in December. “They’re ripe for exploitation due to mass adoption across many organizations. This enables attackers to concentrate their efforts on a handful of SaaS providers to simultaneously impact large numbers of their customers.”
Typically, SaaS products come with security features like encryption and single-sign-on authentication. But features aren’t enough when human error is involved. “Securing SaaS is a lot more complicated than just checking a handful of settings or enabling strong authentication for users,” said Brendan O’Connor, CEO and co-founder of AppOmni, in a statement.
And so, to protect against RBAC misconfiguration, the report advised that administrators review the following:
- ACLs that are absent of conditional and script based access evaluation, which have either no role, or the public role, assigned to them.
- User criteria and the resources to which those criteria are granting access. Focus on any UC in which the “Guest” user is assigned to or contains the”‘public'”role.
- Resources that can be directly assigned the “public” role to grant access, or indirectly made accessible to the public through another mechanism.
- And, finally, system properties that may dictate access to records through a provided role or list of roles.
Luckily there’s no fundamental, inescapable flaw in ServiceNow software. So long as admins diligently review their configurations, enterprises should remain safe from this particular harm.
Register Today for Log4j Exploit: Lessons Learned and Risk Reduction Best Practices – a LIVE Threatpost event sked for Thurs., March 10 at 2PM ET. Join Sonatype code expert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. Register Now for this one-time FREE event, Sponsored by Sonatype.
