Protecting Your Confidential Information on ServiceNow: Understanding Knowledge Base Misconfigurations
ServiceNow, the cloud-based platform widely used for managing IT services and processes, may be inadvertently exposing sensitive data, including names, phone numbers, system details, and credentials. This vulnerability arises from misconfigurations within Knowledge Bases, which serve as repositories for internal information such as password resets, cybersecurity protocols, HR processes, and more.
A recent blog post by AppOmni reveals that 60% of exposures involve older versions of Knowledge Bases with default public access settings. Additionally, some instances have User Criteria rules that inadvertently grant access to unauthorized users.
With 85% of Fortune 500 companies using ServiceNow, and numerous instances misconfigured, proactive security measures are crucial. Aaron Costello, chief of SaaS security research at AppOmni, emphasizes the need for enterprises to regularly review and update security configurations to safeguard data assets.
Knowledge Base misconfigurations have been an ongoing issue, with previous incidents reported in 2020 where sensitive data was accessible due to similar oversights. ServiceNow’s commitment to collaboration with security researchers underscores their dedication to enhancing product security.
What are the Knowledge Base misconfigurations?
AppOmni identified three scenarios where businesses put their Knowledge Bases at risk:
- Older versions allowing public access by default.
- Use of “Any User” and “Any user for kb” User Criteria, granting access to unauthenticated users.
- Lack of denylists, enabling external users to bypass access controls.
How attackers can gain access to the Knowledge Bases
Attackers can exploit misconfigured Knowledge Bases through Public Widgets like the “KB Article Page” widget. By automating requests with tools like Burp Suite, attackers can access sensitive data from multiple articles. Secure Knowledge Bases are essential to prevent unauthorized access.
How to secure Knowledge Bases against unauthorized access
Run regular diagnostics on Knowledge Base access controls
ServiceNow’s User Criteria diagnostics tool helps administrators identify users with access to Knowledge Bases and articles. Utilize /get_public_knowledge_bases.do and /km_diagnostics.do for detailed diagnostics.
Use Business Rules to deny unauthenticated access
Activate the Business Rule that restricts Guest User access to Knowledge Bases by default, enhancing security measures.