Thousands of orgs at risk of knowledge base data leaks via ServiceNow misconfigurations

Security researchers say that thousands of companies are potentially leaking secrets from their internal knowledge base (KB) articles via ServiceNow misconfigurations.

Aaron Costello and Dan Meged, of the AppOmni and Adaptive Shield security shops respectively, separately published their findings this week, concluding that pages set to "private" could still be read by tinkering with a ServiceNow customer's KB widgets.

These widgets are essentially containers of information used to construct the pages in KB articles. These can include page elements that allow users to leave feedback on articles, either through star ratings or comments, for example.

In cases where an organization's KB is set to "public," but the pages inside it are set to "private," each KB article can be read via ServiceNow's widgets.

Meged estimated around 30 percent of ServiceNow customers have this faulty configuration and could be unwittingly exposing secrets held in their KB, such as first-time-access passwords for new starters connecting to a company VPN, for example.

Similarly, Costello estimated that after looking at more than 1,000 different ServiceNow instances, 45 percent of them were unintentionally exposing data.

Customers who set their KBs and KB pages to "private" are not exposed to this problem, and even if pages are set to "public" but the KB itself is set to "private," these customers are also safe from the type of exposure described here.

It should be clarified that KB articles are different from pages. KB pages can contain any kind of information – it could be a piece of multimedia content or it could contain an article, or a combination of these elements. KB articles are the actual content people want to read, and widgets offer extra functionality like commenting or rating.

Widgets themselves can also be set to "private," but they are "public" by default, which is what allows any unauthenticated user to access it. The KB Article Page widget can be exploited to retrieve KB article content because it makes it easy for potential intruders to locate exposed KB articles.

Some widgets use the UUID to locate this content, but the KB Article Page widget allows articles to be located using their unique article ID, the format of which is always "KB" followed by seven integers (KBXXXXXXX), making it possible to increment up until an exposed article is found.

By using a network proxying tool like Burp Suite, HTTP requests made to the ServiceNow instance can be intercepted, as can the g_ck JavaScript variable. This variable can then be plugged into a POST request alongside the article ID that corresponds to the exposed article. Sending that request returns all sorts of data related to that article, including the entirety of its content.

"This widget's ability to quickly iterate over KB numbers to rapidly retrieve information is extremely useful for an attacker who can send requests in quick succession and even facilitates them to attack multiple ServiceNow instances simultaneously without much bandwidth," said Costello.

Barriers to security

Costello offered more insight into why ServiceNow KBs remain so widely misconfigured.

The researcher worked with The Register on a ServiceNow-related story last year, looking at the role of Access Control Lists (ACLs) that weren't being used properly by customers and, in turn, weren't protecting KB article exposure.

What followed was the addition of new security controls for widgets to prevent these kinds of exposures, and Security Attributes were added to most ACLs by default.

"This double-layered approach to data security was a welcome change," he said. "But, unfortunately, these changes did not provide any added protections to one of the most prevalent sources of data exposure, the knowledge base."

Crucially, he said the public widgets used in the method described above didn't receive the ACL update, and the fact that most KB articles aren't even protected by ACLs anyway – many customers use User Criteria instead – meant the ACL update wasn't an effective KB protection in the first place.

The method of retrieving KB articles can be mitigated by applying the appropriate User Criteria, said Costello. The platform's native User Criteria Diagnostics can help identify KBs that are exposed to unauthenticated users too.

Introduced in 2022, the researcher said "it is imperative that administrators ensure this Business Rule is still activated on their platform." Keeping these in place means Guest Users are blocked from accessing KB materials by default.

The Register approached ServiceNow for a statement but it didn't reply in time for publication.

Double the findings

Confused as to why the two researchers, Costello and Meged, published slightly different, but essentially the same findings on September 17, each without mentioning the other, we asked them both how this happened.

Essentially, there's a small dispute over who found the issues first. Speaking to The Reg, Costello pointed to ServiceNow's acknowledgment that AppOmni discovered it. However, Adaptive Shield showed us signs they had been working on the research since 2023 and simply timed their publication to align with ServiceNow's comms team. ®