ServiceNow leak: thousands of companies at risk- is that correct

MK21
Tera Contributor

‎10-18-2023 10:14 AM

Hi, 

 

saw the news ServiceNow leak: thousands of companies are trouble 

https://cybernews.com/news/servicenow-leak-thousands-companies-risk/

 

Service now published KB article 

 

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1553688

 

i am dumb, can any one what action required from as instance admin.

 

can any one tell me the procedure or steps

  • 13,793 Views
8 REPLIES 8

Markus Kraus
Kilo Sage

‎10-24-2023 07:16 AM

Here is a tool that allows you to analyse the affected widgets and ACLs and also helps with analysing any potential damage that has been done:
https://www.servicenow.com/community/developer-articles/quot-data-leak-analyser-quot-gt-in-response-...

0 Helpfuls

mush
Tera Guru

‎10-30-2023 03:03 AM - edited ‎10-30-2023 03:05 AM

This security assessment script was released by ServiceNow last week to help you determine what could have been accessed.

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1561609

 

0 Helpfuls

Markus Kraus
Kilo Sage

‎10-31-2023 10:43 AM - edited ‎10-31-2023 10:53 AM

@mush This script yields absolute incorrect results. The ACL evaluation of this script is based on the ACLs that are active at the point of the execution of the assessment script.

The Data Leak Analyser does an accurate evaluation with the ACL configuration that was present at the time of the attack.

Example: You had the OOTB ACL configuration for sc_cat_item which allows public to access all catalog items. Since the attack you removed public from the ACL's roles. The Script from ServiceNow will incorrectly assume the Catalog Items were never leaked, but in fact they were all (maximum of 500 of course) leaked.

 

Jesus Christ, after more investigation. For god sake, please do not use this script. This script doesn't even do the orderBy properly, nor is the creation date of the record considered... Basically if the attachment table was attacked and you had any attachments uploaded since the time of the attack, it will first loop over the latest attachments instead of the ones who existed at the time of the attack. 

 

0 Helpfuls

mush
Tera Guru

‎11-02-2023 05:21 AM - edited ‎11-02-2023 06:29 AM

@Markus Kraus  😁 I'll let ServiceNow defend their own script.

 

However,  I can comment from my own tests and after setting 'toggleACLMaintProperty' to true, it did return approximately 500 'Catalog items', so this does appear to have worked for me.

 

While not definitive, from the transaction logs (KB1555166) you can at least see how the query was constructed if any. This is important to understand what data was returned and by giving an example you'll see that 'probably' in 'most' cases it's not a big deal.

 

Transaction log query is the following:

 

/api/now/sp/widget/widget-simple-list?t=sys_attachment&f=file_name&api=api

 

 

A real example of some of the data (JSON) that is actually returned (sys_id changed ) from the above query to an unauthenticated user (I've reproduced this using vulnerability tools). 

 

{

   "sys_id":"a85035005fred569569luddy62678989",

   "className":"sys_attachment",

   "display_field":{

      "display_value":"001.png",

      "label":"File name",

      "type":"string",

      "value":"001.png"

},

      "secondary_fields":[

      {

       "display_value":null,

      "value":null

      }

   ]

},

 

This is not to say that it wasn't a problem because carefully constructed queries could have returned PII data.

0 Helpfuls