ServiceNow discloses critical vulnerabilities CVE-2024-4879, CVE-2024-5217 and CVE-2024-5178

 On July 10, 2024, ServiceNow disclosed critical vulnerabilities CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, which pose significant risks to users of the Now Platform. These vulnerabilities allow unauthorized access and remote code execution (RCE) within the platform, potentially leading to severe operational disruptions and data breaches.

Overview of Vulnerabilities

CVE-2024-4879

- *Type: Unauthenticated RCE via Jelly Template Injection

- *CVSS Score: 9.3

- *Description: This vulnerability allows unauthenticated users to execute arbitrary code within the context of the Now Platform. Attackers can exploit this flaw by injecting malicious code through the ServiceNow UI macros, which can lead to unauthorized access to sensitive data and system control.

CVE-2024-5217

- *Type: Unauthenticated RCE via Incomplete Input Validation

- *CVSS Score: 9.2

- *Description: Similar to CVE-2024-4879, this vulnerability enables unauthenticated users to execute arbitrary code. It exploits insufficient input validation in the GlideExpression script, allowing attackers to manipulate the execution flow and gain control over the platform.

CVE-2024-5178

- *Type: Unauthorized File Access

- *CVSS Score: 6.9

- *Description: This vulnerability allows administrative users to access sensitive files on the web application server due to incomplete input validation in the SecurelyAccess API. While it is less severe than the RCE vulnerabilities, it still poses a risk of data exposure.

 Exploitation and Impact

The vulnerabilities can be chained together to enhance their exploitability. For instance, attackers can first leverage CVE-2024-4879 to gain initial access and then use CVE-2024-5217 to escalate their privileges and execute further malicious actions. This chaining of vulnerabilities amplifies the potential impact, allowing attackers to extract sensitive information or disrupt services.

Real-World Exploitation

Cybersecurity firms have reported that these vulnerabilities are being actively targeted in reconnaissance campaigns. For example, Resecurity noted that threat actors were scanning for vulnerable ServiceNow instances and attempting to exploit them to extract data from various sectors, including finance and government. The exploitation attempts have been observed across over 6,000 sites, indicating a widespread threat landscape.

Mitigation Strategies

Organizations using ServiceNow are strongly advised to upgrade to the latest patched versions of the platform. The following versions have been identified as fixed:

- *Utah: Patch 10 Hot Fix 3, Patch 10a Hot Fix 2, Patch 10b Hot Fix 1

- *Vancouver: Patch 6 Hot Fix 2, Patch 7 Hot Fix 3b, Patch 8 Hot Fix 4, Patch 9 Hot Fix 1, Patch 10

- *Washington D.C.: Patch 1 Hot Fix 3b, Patch 2 Hot Fix 2, Patch 3 Hot Fix 2, Patch 4, Patch 5

Organizations should also implement robust monitoring and detection mechanisms to identify any attempts to exploit these vulnerabilities. Utilizing tools like Nuclei for automated scanning can help in early detection of potential threats.

Conclusion

CVE-2024-4879 and CVE-2024-5217 represent critical vulnerabilities that require immediate attention from organizations using the ServiceNow platform. By understanding the nature of these vulnerabilities and taking proactive steps to mitigate their impact, organizations can better protect their systems and sensitive data from potential exploitation.