Regarding "Potential Public List Widget Misconfiguration" [KB1553688]
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-30-2023 11:49 PM - edited 10-31-2023 01:21 AM
Hello Experts,
I believe everyone is aware of the subjected issue.
In our case, we havent touched 'ACL's and 'Widgets'. Its just that we are using OOTB.
After customer has seen this topic, they are aksing 2 straight questions
1. 'Just answer yes or not --> is our data leaked'?
2. Why have you not configured the ACLs properly?
Our answer was -
1. We dont know. We need to check with ServiceNow team.
PS - We did raise a support case, and they are also not telling yes/not, but just telling to follow this article - KB1553688
and they are telling to check with ionternal security team (I am like how on earth with internal security team evaluate this or answer this? ServiceNow is on cloud and users are access from all over the world using internet)
Now this question is till left open'
2. We told we have not developed any ACLs. there were several ACLs that were shipped out of the box by ServiceNow and ServiceNow has done proactive maintenance on them.
So again customer is asking, why ServiceNow has written such ACLs? What were they doing all these years? Now ask them to tell us which data is leaked?
Now this question again is left open.
Please share your views on this and how are you handling this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-30-2023 11:59 PM
Why don´t you check the transaction log as described in the article? https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1555166
That´s how you can find out if someone has tried to access e.g. the Simple List Widget for a certain table and if records where returned or not
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-31-2023 01:20 AM - edited 10-31-2023 01:21 AM
Hi @Sebastian R_ We have alrerady checked that. My open questions are:
1. Is customer data leaked? Yes or no? What to answer to customer (KB1555166 - again talks about 'potentially exposed if the "Render Size" is more than 9,600) but customers are agian and again asking 'if my data exposed'?
2. why ServiceNow has written such misconfigured/incomplete ACLs? What were they doing all these years? Now ask them to tell us which data is leaked?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-31-2023 12:08 AM
Hi @Suggy ,
Initiated an investigation with ServiceNow's support. Data security in a cloud environment can be complex due to a global user base. ServiceNow's security team follows industry standards to evaluate and manage potential data exposure. We are closely following ServiceNow's guidance outlined in KB1553688.
ServiceNow incorporates Access Control Lists (ACLs) as standard security configurations to establish access controls. These ACLs are continuously maintained and updated to address evolving security threats. They are designed to maintain data security and user access balance, ensuring protection rather than exposure.
Remediation steps-
- Review Access Control Lists (ACLs) that either are entirely empty or, alternately, contain the role "Public"
- Review public widgets and set the "Public" flag to false where it is not aligned with their use cases
- Consider using stricter access control measures using built-in controls offered by ServiceNow, such as IP Address Access Control or Adaptive Authentication
- Consider installing ServiceNow Explicit Roles Plugin. ServiceNow states that the plugin prevents external users from accessing internal data and instances using this plugin are not affected by this issue (the plugin ensures that every ACL declares at least one role requirement)
These recommended remediation steps can still be utilized for organizations that are exposed (even after the fix) as it's worth double checking to ensure top security throughout the organization.
Organizations that use a SaaS Security Posture Management (SSPM) solution, like Adaptive Shield, are able to gain visibility into ServiceNow' and any other SaaS app's configurations.
SSPMs alert security teams when there are high-risk configurations, enabling them to adjust their settings and prevent any type of data leakage. This way, companies gain a better understanding of their company's attack surface, level of risk, and security posture with an SSPM.rations and remediate any configuration issue.
Please mark it as healpful and solution proposed if its serves your purpose.
Thanks,
Anand
