External risk intelligence

ServiceNow Platform Remote Code Execution Vulnerability

CVE advisoryKnown Exploit

CVE-2024-5217

A vulnerability in ServiceNow's Now Platform, affecting Washington DC, Vancouver, and earlier releases, could allow an unauthenticated user to execute code remotely. This poses a business risk of unauthorized system access and potential operational disruption. Patches are available from ServiceNow to address this issue

5Halo Surface Signal

Servicenow

utahvancouver

External exposure likelihood

Halo Surface Signal score for CVE-2024-5217

ServiceNow is a widely deployed, enterprise-facing platform that typically exposes web-based interfaces and API endpoints to the public internet for user access, integration, and portal functionality, making it a design-inherent internet-facing service.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

ServiceNow's Now Platform has an input validation flaw that affects its Washington DC, Vancouver, and earlier releases. This weakness could permit an unauthenticated user to execute code remotely on the platform. The impact could include unauthorized system access and potential disruption to business operations.

  • Vulnerable ServiceNow Now Platform
  • Input validation flaw
  • Remote code execution capability

Attack Path

How an attacker could exploit the issue

This vulnerability allows an unauthenticated user to execute code remotely on the ServiceNow platform. The attack leverages a weakness in how the platform handles certain inputs, enabling an attacker to bypass security controls. Successful exploitation could lead to unauthorized code execution within the affected system, potentially impacting data integrity and system availability.

  • Exposed to the internet.
  • Attacker sends malicious input.
  • Code executes on the platform.

Live Threat

Current exploitation, exposure, and threat context

ServiceNow has addressed a critical vulnerability that could allow an unauthenticated attacker to remotely execute code. This vulnerability impacts several versions of the Now Platform. The issue stems from an incomplete list of disallowed inputs within the GlideExpression script.

  • Attackers require no special skill.
  • No access or conditions needed.
  • Business risk is critical.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An unauthenticated user could remotely execute code within the Now Platform due to a vulnerability. The vendor has released patches addressing this critical risk. Organizations should prioritize applying these fixes to affected instances.

  • Find affected ServiceNow instances.
  • Apply vendor security patches promptly.
  • Verify patch installation and monitor systems.

Frequently asked questions

What is the ServiceNow Now Platform input validation vulnerability affecting Washington DC, Vancouver, and earlier releases?

ServiceNow has addressed a critical vulnerability in its Now Platform, impacting Washington DC, Vancouver, and earlier releases. This input validation flaw could allow an unauthenticated user to remotely execute code within the platform's context. The vulnerability stems from an incomplete list of disallowed inputs in the GlideExpression script.

How does the ServiceNow Now Platform vulnerability work, and what weakness does it exploit?

This vulnerability is an input validation flaw (CWE-184) within the ServiceNow Now Platform. It allows an unauthenticated user to send malicious input, which is not properly handled by the GlideExpression script. This bypasses security controls, enabling the remote execution of arbitrary code on the platform.

What is the attack path for the ServiceNow Now Platform vulnerability, and what is the scope of impact?

An unauthenticated attacker can exploit this vulnerability by sending specially crafted malicious input to the ServiceNow platform. Successful exploitation allows for remote code execution within the platform's environment. The scope of impact can be significant, potentially leading to unauthorized system access, data compromise, and disruption of business operations.

How relevant is the ServiceNow Now Platform RCE vulnerability, and what is its current threat level?

This vulnerability is highly relevant due to its critical severity and the fact that it is actively exploited. ServiceNow is a widely used enterprise platform, making it an attractive target. The attack vector is network-based and requires no special privileges or conditions, leading to a very likely exposure classification.

What practical steps should be taken to respond to the ServiceNow Now Platform RCE vulnerability?

Organizations using affected ServiceNow Now Platform releases (Washington DC, Vancouver, and earlier) should prioritize applying the security patches released by ServiceNow during the June 2024 patching cycle. Promptly applying these vendor-provided fixes to relevant instances is crucial to mitigate the risk of remote code execution.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified