Over 1,000 misconfigured ServiceNow enterprise instances have been found exposing Knowledge Base (KB) articles containing sensitive corporate information to external users and potential cyber threats. The leaked data includes personally identifiable information (PII), internal system details, user credentials, and access tokens for live production systems, depending on the KB topic.
Aaron Costello, chief of SaaS security research at AppOmni, discovered these vulnerabilities. Despite ServiceNow's 2023 updates aimed at improving Access Control Lists (ACLs), the updates did not apply to KB articles, which primarily use the User Criteria permission system. As a result, many KBs remained publicly accessible.
ServiceNow's Knowledge Base feature serves as a repository for internal articles, guides, and FAQs, some of which may contain sensitive company data. While organizations aim to restrict access to authorized users, misconfigured public-facing widgets and weak access controls have allowed unauthorized users to access these articles without authentication.
AppOmni’s report highlights that misconfigured KB article access can be exploited using tools like Burp Suite to brute-force article numbers. Knowledge Base article IDs follow an incremental format (KBXXXXXXX), allowing attackers to systematically query and access exposed articles.
To prevent unauthorized access, AppOmni recommends that ServiceNow administrators configure the appropriate 'User Criteria' permissions to block external access and disable public-facing KBs if they are not needed. Administrators should also use built-in security settings to ensure that KB articles are protected, even if misconfigurations occur.
Key security properties that can enhance data protection include:
* glide.knowman.block_access_with_no_user_criteria (True): Automatically blocks access if no User Criteria are set for an article.
* glide.knowman.apply_article_read_criteria (True): Ensures only users with explicit "Can Read" permissions can view articles.
* glide.knowman.show_unpublished (False): Prevents visibility of unpublished or draft articles.
ServiceNow’s out-of-the-box rules that automatically add Guest Users to the "Cannot Read" list for new KBs should also be activated to enhance security.
