Skip to content
New Report: Get your copy of The 2024 State of the Internet Report! | Download Today
Advisory

Aug 1, 2024 Advisory: Multiple ServiceNow Server-Side Template Injection Vulnerabilities [CVE-2024-4879, CVE-2024-5178 & CVE-2024-5217]

Date of Disclosure: May 28, 2024

CVE-ID and CVSS Score:

  • CVE-2024-4879: CVSS 9.3
  • CVE-2024-5178: CVSS 6.9
  • CVE-2024-5217: CVSS 9.2

Issue Name and Description: Multiple ServiceNow Server-Side Template Injection Vulnerabilities

Asset Description: ServiceNow is a popular cloud-based platform for IT service management, operations management, and business management solutions. These vulnerabilities affect non-hosted ServiceNow instances running Vancouver, Washington DC, and Utah Now Platform releases. ServiceNow reported that hosted instances were automatically patched.

CVE Affected Releases Vendor Advisory
CVE-2024-4879 Vancouver and Washington DC Now Platform releases https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1645154
CVE-2024-5178 Washington DC, Vancouver, and Utah Now Platform releases https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648312
CVE-2024-5217

 

Washington DC, Vancouver, and earlier Now Platform releases https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313

Vulnerability Impact: A threat actor could exploit these vulnerabilities to execute arbitrary code on the affected ServiceNow instances, potentially leading to complete system compromise, data theft, and unauthorized access to sensitive information.

Exploitation Details: The vulnerabilities stem from server-side template injection flaws in ServiceNow’s platform. An attacker could inject malicious templates that are then executed on the server, allowing for remote code execution.

There are several PoCs published on GitHub and it is a CISA Known Exploited Vulnerability (KEV).

Patch Availability: ServiceNow has released patches to address these vulnerabilities. Hosted instances were automatically updated on May 14, 2024. Non-hosted instances should be updated immediately to the latest patched version.

Censys Perspective:

Currently, Censys identifies 11,108 potentially vulnerable ServiceNow instances. As expected for a cloud-based platform, the majority are concentrated in AWS and Azure networks (AS8266, AS1125, AS698). For identifying potentially vulnerable non-hosted ServiceNow instances, the following Censys queries can be used:

  • Censys Search Query:
    services: (software.product="ServiceNow" OR http.response.headers: (key: `Server` and value.headers: `ServiceNow`)) and not autonomous_system.name="SNC" and not name:".service-now." and not labels=`tarpit` 
  • Censys ASM query:
     host.services: (software.product:"ServiceNow" OR http.response.headers: (key: `Server` and value.headers: `ServiceNow`)) or web_entity.instances: (software.product:"ServiceNow" OR http.response.headers: (key: `Server` and value.headers: `ServiceNow`)) and not (host.services.labels=`tarpit` or web_entity.instances.labels=`tarpit`) 

This query excludes ServiceNow-hosted instances.

References:

  1. https://www.servicenow.com/security/advisory-database.html
  2. https://www.bleepingcomputer.com/news/security/servicenow-fixes-critical-rce-flaws-in-platform-used-by-7-400-enterprises/

 

Similar Content

Back to Resources Hub
Attack Surface Management Solutions
Learn more