KB1553688 - General Information | Potential Public List Widget Misconfiguration

@arielgritti - Hope you dont mind, but I translated into english (thanks Chrome Extension!)

Transcribed here:

"Good afternoon Community,

The first thing I must say is that this came to me from a community member and it helped (saved me) a few hours of understanding it, researching it, verifying it and solving it. He doesn't want to appear in the credits, he knows who he is and my thanks go to him. This is the spirit that we want to have in our community, help each other and what better example than this."

Let's get to the point (I'll try to put it in order)

1. We became aware of this potential issue explained in this KB:  https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1553688
2. A first reading makes you think that you have some problem with the ACLs (at least I initially interpreted it that way)
3. With the help of our anonymous hero, who also warned me, and since he had been sticking with this for more hours, the conclusion is that the source of the problem is the Simple List widget that is used in the Service Portal, which is defined as "Public" and that does not require you to have any "role" to access it, that is, you can use it without logging in without restrictions
4. This opens the door for someone clever to exploit this and get some table data
5. The problem is explained here:  https://www.enumerated.ie/index/servicenow-data-exposure
6. There is a Python tool to see if you are vulnerable here:  https://github.com/bsysop/servicenow
7. By running the python code (it is very simple, just enter the URLs of the instance you want to verify) I will tell you if you are vulnerable and which tables are exposed, which field
8. Then, the fix (there are several) but the most immediate is to make the Simple List widget "non-public", editing it and removing the check

Check

You run the python code again and you will see that you are no longer vulnerable.

Any extra steps

“Check that in the "sp_rel_widget_clone_list" table you do not have a clone of the widget. If you have it, you will have to do the same. But of course, if you have it, it means that you are using it and possibly "if you want" that data to be accessible by a user without logging in. It's the first thing the KB comments on. Therefore, before taking action, check your situation carefully.”

Some thoughts

“We are thinking about whether or not to publish this article. On the one hand we did not want to generate "social alarm", but on the other, we believed that it was a good opportunity to share something useful, which can save many of you time and headaches.

This article is not intended to be the definitive solution, but it is a first quick-action fix in case you are affected and want to first stop any problem and then analyze it calmly.

We hope (in plural, my "invisible friend" who is the real genius who helped me in this and I) that this article is useful to you.

As always, any comments are welcome!

Good luck, apply the fix if you are affected and have a good week!

Greetings,

Ariel”

¡Muchísimas gracias por compartir, Ariel!

¡Y gracias al héroe anónimo también!

Hi @Cdohert 

Good move!

Perfect. I was thinking of doing that, you saved me time and work! 😉

Thanks,

Ariel

Hola @rubenferrero 

Bien visto compañero.

Gracias por aportar, entre todos creo que podemos encontrar buenas soluciones colaborando.

He recibido una nueva versión del script que mira más tablas y más widgets.

Lo estamos probando, otro miembro de la comunidad me lo pasó.

Cuando lo tengamos finos lo pasaremos seguro.

Pero estamos mirando todos los widgets public = true and ID is not empty con el nuevo script.

Seguimos en la lucha

Ariel

Buenos días,

ACTUALIZACION: ServiceNow ha publicado un nuevo KB, KB1555166, donde nos aporta un método para revisar si hay transacciones que hayan explotar este fallo.

UPDATE: ServiceNow has published a new KB, KB1555166, where it provides us with a method to check if there are transactions that have exploited this flaw.

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=Kb1555166

Saludos,

Ariel

Buenas tardes,

Actualización en el caso que tengo creado por este tema, de hace 4min.

An update shared by ServiceNow just 4min ago (I've created a case).

Dear Valued ServiceNow Customer,

We are reaching out to inform you about a recent proactive maintenance action that has been taken to enhance the security of your noted instances. The update we applied adjusts the configuration of certain existing access control lists (ACLs). ServiceNow has delivered separate communications regarding this action to your team.

In addition to the earlier published article KB1553688, ServiceNow has also published article KB1555339 for further information on additional steps that we recommend you consider taking.

ServiceNow will update this Case as additional, relevant information becomes available and as appropriate.

Kind Regards,
ServiceNow

ACTUALIZACION/UPDATE

ServiceNow ha aplicado una segunda actualización. Os dejo los detalles debajo.

ServiceNow has applied a second update. I leave the details below.

Security maintenance notification
Review • October 2023

We are reaching out to inform you about a second proactive maintenance action that we took to enhance the security of your noted instances. The update we applied adjusted the configuration of certain existing access control lists (ACLs).

Here’s what you can expect

• To enhance the security of your instance(s), ServiceNow adjusted existing ACLs that did not contain any roles, scripts, and conditions on October 18 and 19.
• AsdescribedinKB1553688, in certain circumstances, an ACL that is configured to have empty roles, scripts, and conditions can grant unintended access to the data within the tables associated with the ACL.
• To further enhance the security of your instances, on October 20 and 21, an additional change was made to restrict use when certain ACLs point to roles that do not exist in the [sys_user_role] table.

Here’s what we need you to do

As recommended in communications you received earlier this week, please review the following items, and take any relevant action.

• For instances with Service Portal Widgets and tables orcolumns configured with ACLs with no role, no condition, and no script, we recommend that you review your transaction logs as described inKB1555166to evaluate whether access occurred as intended and in accordance with your business needs.
• In addition, please note that it is possible that the update may affect intended functionalitythat supports unauthenticated usersaccessing tableswithin your instances.We recommend the following steps to address this potential issue:
  • Review your expected public use cases to ensure intended functionality supporting unauthenticated users was not impacted by this maintenance.
  • If youidentifyany functionality that wasimpactedby this change, please do one of the following:
    • Update the ACL(s) associated with the Table and Field to include the “Public” role and remove the script that was added by the maintenance.
    • Createa new ACL for the associated Table and Field to include the “Public” role.
• If your instance is self-hosted please review KB1555340 for further information regarding the steps you need to take.

Questions?

• Please refer toKB1555339for further information on avoiding overly permissive ACLs.
• We are here to help. If you have any questions, please visit Now Support Portal or review the Customer Support - Contact Us knowledge article for contact information in your region.

Hola @arielgritti  muchas gracias por la aportación, sobre el nuevo update que comentaste tienes alguna conclusion ? o recomiendas seguir utilizando el metodo de ejecutar el codigo de python y dejar de hacer publico los widgets?
gracias.

Hola @sfg,

en la última versión del Python script the hace una recomendación más clara, en que nivel de afectación estás.

En cualquier caso, si el widget no reside  en un portal público, no debería afectar ponerlo como public false, salvo un skipped record (o no) en próximos upgrades

Best Regards

Hola @sfg 

Lo que comenta @German Alvarez2 , coincido con él.

También, desde el caso, comentan lo de tener activo el plugin "Explicit Roles" (que imagino casi todos, por no decir todos, lo tendremos activo) para forzar tener algún rol en las ACLs (aunque seguimos pensando que el problema está mucho antes de las ACLs)

Hello Ariel

Hope you are doing well !

We have reviewed the instance and we can see that it has "Explicit roles' plugin installed.
Because the Explicit Roles plugin ensures that every ACL declares at least one role requirement, your instances using the Explicit Roles plugin are not affected by this issue. ServiceNow encourages customers with this plugin to review ACLs that contain the "public" role and evaluate their User Criteria configurations. The process for evaluating User Criteria is found here: KB1123580

We have checked and we don't see any knowledge bases accessible to unauthenticated users.
We would still like to request you to review the knowledge articles provided and review the instances at your end.

Colleagues,

Coming in an update on today, on the KB155139, regarding the leakage,

It seems that ServiceNow is rolling out a patch to their customers in order to whitelist not only tables, but also widgets.

By this, only widgets in this whitelist can be shown for non-authenticated users, or almost, make GlideRecords, (not very clear)

So, Community, please be prepared for the rollout, because it will enforce the security, but also, it can create some functionality issue, if it restricts unexpectedly some widgets not in the whitelist

Also, please, think on propagate the patch to your cloned widgets

This security assessment script was released by ServiceNow last week to help you determine what could have been accessed.

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1561609