Overview
ServiceNow Vancouver and Washington DC Now Platform releases contain a critical remote code execution vulnerability caused by input validation issues. This vulnerability allows unauthenticated attackers to execute arbitrary code without requiring authentication, making it highly exploitable in production environments. The vulnerability was disclosed on July 10, 2024. CISA has identified CVE-2024-4879 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
ServiceNow's Vancouver and Washington DC Now Platform releases contain a critical remote code execution vulnerability stemming from inadequate input validation. The vulnerability allows unauthenticated attackers to bypass security controls and execute arbitrary code on affected systems. The flaw exists in a component that processes user-supplied input without sufficient validation or sanitization, enabling direct code injection attacks.
The vulnerability is classified as CWE-94 (Improper Control of Generation of Code ('Code Injection')) andCWE-20 (Improper Input Validation) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation allows unauthenticated attackers to achieve complete system compromise. An attacker can execute arbitrary code with the privileges of the ServiceNow application, potentially leading to: full system takeover, unauthorized access to sensitive data stored in the instance, modification or deletion of critical business data, lateral movement to connected systems, and installation of persistent backdoors for continued access. Given ServiceNow's use in enterprise environments for IT Service Management, ITSM, HR, and other critical functions, exploitation could have severe business impact.
Mitigation and workarounds
ServiceNow has released emergency security patches for both Vancouver and Washington DC releases. Organizations should immediately apply these patches through ServiceNow's update management system. Instructions are available on ServiceNow's security advisory page. The following versions include the necessary fixes: Vancouver patch released April 16, 2024, Washington DC patch released April 16, 2024, Latest stable releases with security patches.
As temporary workarounds: implement network-level access controls to restrict direct internet access to servicenow instances. use web application firewalls (waf) with rules to detect and block code injection attempts.; disable or restrict access to unnecessary apis and endpoints until patches can be applied. review and tighten authentication requirements for all exposed endpoints.; implement strict input validation rules at the waf/reverse proxy level to filter potentially malicious payloads., and monitor for suspicious activity and implement detection signatures based on servicenow's ioc recommendations..
CISA's recommendation: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Additional resources
Source: This report was generated using AI
