Recently, a potential security vector was identified within the ServiceNow platform. if you want to see more details, please refer to these links: ⬇️
What is the Issue?
The issue is in relation to the specific Service Portal widget named SimpleListWidget. Here’s the ServiceNow Support information article: Potential Public List Widget Misconfiguration.
There’s a lot of information in the articles so we’ve broken it down a little for you to help you understand the situation better.
As stated in the ServiceNow Support article, a misconfiguration issue has been discovered in relation to the Service Portal widget named: SimpleListWidget.
This widget is used primarily to query tables within ServiceNow, and display information passed into the Widget. The issue with this widget is that it is marked as public for some pages for externally facing portals.
When used, this widget relies on the ACLs set on tables to restrict access data so if the ACLs for a certain table haven’t been configured properly or have been left open to allow this type access then this widget will be able get access to that tables data. In most cases this is alright, but in some cases it’s not.
What is the Risk?
If an ACL has been configured incorrectly, the widget may allow access when it shouldn’t be. The following conditions have been identified that would allow the widget to be able to access data within a table:
1. The ‘Public’ role has been added on a table or column in the ACL record.
2. A table or column was configured with an ACL with no role, no condition, and no script.
The above conditions coupled with the public widget would allow a user to be able to view information on tables within ServiceNow – even the Guest user.
For most of the critical tables used in ServiceNow, a specific role is added to restrict access. However, there may be some tables where this isn’t case, and it’s these tables that will need to be assessed to ensure they are ok to be visible from the widget.
Next Step – Quick Fix
So what are your next steps here to quickly get things into a state that you’re comfortable with?
1. Simple solution: Uncheck Public from Simple List Widget. Public widget ‘Simple List’ comes OOTB installed in all instances and used only in Service Portal to render data in table list format. Assess if this widget is required for any public facing portal. If there is no public facing portal or widget is not required, then uncheck the public checkbox on the widget.
2. Stronger option: Enable IP Address Access Control. IP Address Access Control will disable access to the instance completely on the network level (disallowed IPs cannot even access the login screen). This will reduce the attach surface and only users within the VPN can access ServiceNow. This system-wide change may not be feasible for some customers as instance may have to be accessible to all IP’s and should be carefully considered before implementing.
Long Term Fix
To remediate any similar classes of potential vulnerabilities, we propose the following review steps and actions.
1. Review all remaining Public widgets.
2. Review all ACL with public role/empty role access.
3. Review user criteria on Knowledge bases.
Outcome – Once above three are implemented, no bad actors can exploit class of potential vulnerabilities.
Was I Exposed?
1. Check to see the transaction log of when this widget was used by the Guest user. Add the following text to the URL after your instance domain to show if this widget has been used by a Guest account and what was queried: /syslog_transaction_list.do?sysparm_query=urlSTARTSWITH%2Fapi%2Fnow%2Fsp%2Fwidget%2Fwidget-simple-list%5EORurlSTARTSWITH%2Fapi%2Fnow%2Fsp%2Fwidget%2F5b255672cb03020000f8d856634c9c28%5Esys_created_by%3Dguest&sysparm_view=
2. Check your instances of where this widget is used. Add the following text to your URL after your instance domain to show if this widget is currently in use and has been marked as Public:
- Please refer to official guidance from ServiceNow through Now Support and public documentation, available at https://docs.servicenow.com, for guidance on addressing this issue.
- Developing Custom Widgets
- IP Address Access Control
We’re here to help.
If you would like any assistance, please feel free to reach out to us here at CloudGo.
Contact us to learn more about how we can help your organisation digitise workflows, transform business process, reduce admin and gain productivity efficiencies.
Additionally, you can keep up with our latest content here 👇🏻