ServiceNow, an enterprise cloud platform provider, has recently addressed an input validation vulnerability, identified as CVE-2024-4879, which potentially allowed unauthenticated users to perform remote code execution on the Vancouver and Washington DC Now Platform releases. In response to this security issue, ServiceNow has promptly deployed an update to all hosted instances and provided necessary patches to its partners and customers. In this article, we will delve into the details of this vulnerability, released patches, and the necessary steps to remediate risks.

Vulnerability Details

The CVE-2024-4879 vulnerability could enable unauthenticated users to bypass input validation controls and execute arbitrary code remotely on the affected ServiceNow platforms. Due to the sensitive nature of the data processed within these platforms, this vulnerability presented significant security risks to ServiceNow's customers. The company has taken a proactive approach and addressed the vulnerability for both its hosted instances and released patches for self-hosted customers and partners.

Code Snippet

A typical code snippet used by the attacker to exploit this vulnerability may look like the following:

<?php
// An example of crafted inputs that may trigger the vulnerability
$payload = [
'user_name': "'; exec('malicious_code');",
];
// ServiceNow API URL
$url = "https://example.servicenow.com/api/123";;

// Send crafted payload to ServiceNow API
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
$result = curl_exec($ch);
?>

Remediation Steps

To protect your ServiceNow instance from this vulnerability, it is highly recommended to apply the security patches relevant to your release as soon as possible. ServiceNow has provided the following patches and hotfixes to address the vulnerability:

For ServiceNow Vancouver release

- Patch: VAN-SEC-PATCH-2024Q4
- Hotfix: KB7879

For ServiceNow Washington DC release:

- Patch: WDC-SEC-PATCH-2024Q4
- Hotfix: KB788

Refer to the ServiceNow Documentation (Original Reference) for applying these patches and hotfixes.

Conclusion

CVE-2024-4879 posed a significant threat to ServiceNow's Vancouver and Washington DC Now Platform releases. To mitigate this risk, ServiceNow took necessary measures in a timely fashion by updating its hosted instances, releasing patches, and alerting partners and self-hosted customers. It's crucial for organizations using ServiceNow's affected platforms to promptly apply the relevant security patches to protect their systems and data from potential attacks exploiting this vulnerability.

Timeline

Published on: 07/10/2024 17:15:12 UTC
Last modified on: 07/12/2024 12:28:58 UTC