Incorrectly Configured ServiceNow Knowledge Bases Expose Private Data

Individuals using ServiceNow, an online platform utilized for overseeing IT services and workflows, might unknowingly reveal sensitive information, including personal details, contact numbers, internal system specifics, and live credentials.

Errors in Knowledge Bases — self-service tools within ServiceNow where users can generate, save, and distribute information like articles and manuals — could lead to unauthorized access by outsiders. Numerous organizations utilize Knowledge Bases as storage areas for critical internal data, such as procedures for resetting company passwords, responding to cyber threats, HR-related information, and more.

A recent report from SaaS security platform provider AppOmni stated that about 60% of data exposures involve older versions of Knowledge Bases configured to have public access by default. Others contain “User Criteria” which unintentionally allow access to unverified users.

EXPLORE: ServiceNow vs Jira Service Management

ServiceNow holds a market share of 85% among Fortune 500 companies, with over a thousand instances currently set up incorrectly. Many organizations managing multiple ServiceNow instances were found to consistently misconfigure Knowledge Base access controls, pointing to cloned settings or a misunderstanding of configuration operations.

Aaron Costello, head of SaaS security research at AppOmni, emphasized, “This underscores the criticality for enterprises to routinely review and enhance security configurations to block unauthorized entry and safeguard their data assets.

Understanding and addressing these issues are imperative for maintaining strong security in business SaaS environments.”

There have been previous instances where ServiceNow exposed delicate data due to misconfigurations. In 2020, another researcher reported a similar case where Knowledge Base information was accessible via an insecure UI interface.

Ben De Bont, Chief Information Security Officer at ServiceNow, mentioned, “ServiceNow is devoted to fostering collaboration with the security community. Safeguarding our customers’ data is our top priority, and security researchers are crucial allies in our continuous efforts to enhance our product security.”

What are the Problems with Knowledge Bases?

AppOmni identified three scenarios where organizations were jeopardizing their ServiceNow Knowledge Bases:

1. Usage of outdated ServiceNow versions where Knowledge Base settings permit public access without User Criteria implementation.
2. Utilizing the “Any User” and “Any user for kb” User Criteria as whitelists. Both grant access to unverified users, potentially unnoticed by administrators.
3. Failure to set up blocklists, enabling external users to bypass access restrictions.

DISCOVER: 6 Best Governance, Risk & Compliance (GRC) Tools for 2024

How Intruders can Reach Knowledge Bases

Based on Costello’s analysis, intruders can access wrongly set up Knowledge Bases through Public Widgets, like the “KB Article Page” widget, showcasing content from specific Knowledge Base articles.

Intruders can automate the retrieval of articles through the widget using tools like Burp Suite. This is simplified with the KB Article Page widget, following a predictable article ID format of “KBXXXXXXX,” where X signifies a positive integer.

Burp Suite’s Intruder feature can quickly scan through these integers to reveal articles unintentionally exposed. It retrieves the content, possibly containing sensitive data from multiple unsecured articles in one go.

Securing Knowledge Bases from Unauthorized Entry

Perform regular assessments on Knowledge Base access controls

ServiceNow’s User Criteria assessment tool helps administrators identify users, both verified and unverified, with access to Knowledge Bases and individual articles.

Access /get_public_knowledge_bases.do to pinpoint public Knowledge Bases, and the full diagnostics tool at /km_diagnostics.do to track public and private user access to individual articles.

Employ Business Rules to block unauthorized access to Knowledge Bases by default

Activate the Business Rule “sys_id 6c8ec5147711111016f35c207b5a9969,” which assigns the Guest User under “Cannot Read and Cannot Contribute” User Criteria for Knowledge Bases.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts