Full Report
A new vulnerability in ServiceNow, dubbed Count(er) Strike, allows low-privileged users to extract sensitive data from tables to which they should not have access. [...]
Analysis Summary
# Vulnerability: ServiceNow Information Enumeration Flaw
## CVE Details
- CVE ID: Not explicitly mentioned in the provided text.
- CVSS Score: Not explicitly mentioned in the provided text.
- CWE: Not explicitly mentioned in the provided text (Likely related to Insecure Direct Object Reference or Improper Access Control).
## Affected Systems
- Products: All ServiceNow products utilizing the affected Access Control List (ACL) logic, tested specifically against ServiceNow ITSM.
- Versions: Not specified, but affects versions where the older ACL logic permits enumeration queries.
- Configurations: Instances allowing self-registration are specifically noted as vulnerable, even if they only grant minimal privileges.
## Vulnerability Description
The vulnerability allows an unauthenticated or low-privileged attacker to enumerate restricted data, including sensitive credentials, Personally Identifiable Information (PII), and internal configuration data, by exploiting shortcomings in the Access Control List (ACL) logic. This enumeration exploits how the system handles query operations, potentially by detecting row counts or inference cues that should have been suppressed based on user permissions.
## Exploitation
- Status: Varonis has *not* seen evidence this vulnerability has been exploited in the wild.
- Complexity: Implied to be Low to Medium, as self-registered users (minimal privileges) could launch the attack.
- Attack Vector: Likely Network (remote exploitation).
## Impact
- Confidentiality: High (Enables extraction of credentials, PII, and internal configurations).
- Integrity: Medium/High (Disclosure of configuration data could aid subsequent attacks).
- Availability: Low (The attack is focused on information disclosure, not service disruption).
## Remediation
### Patches
ServiceNow addressed the attack by implementing the following logic changes:
1. **Introducing 'Deny Unless' ACLs:** Requires users to pass **all** ACLs to gain access to a dataset.
2. **Adding Query ACLs:** Restricts enumeration queries using range operators.
### Workarounds
- Customers should manually review their tables and modify ACLs to ensure they are not overly permissive, which could otherwise lead to vulnerability even post-patch deployment.
- Customers should utilize **Security Data Filters** to hide row counts and suppress inference cues.
## Detection
- **Indicators of Compromise (IoCs):** Unusual or excessive resource usage related to data querying or enumeration attempts on restricted tables.
- **Detection Methods and Tools:** Reviewing logs for queries that trigger ACL checks but result in non-standard responses regarding record counts or data visibility inconsistencies that an attacker might infer from.
## References
- Vendor advisories (Specific ServiceNow security bulletin number not provided).
- Relevant links:
- bleepingcomputer com/news/security/new-servicenow-flaw-lets-attackers-enumerate-restricted-data/