In a recent study conducted by cybersecurity researcher Costello, it has been revealed that a concerning number of enterprise instances using ServiceNow are at risk due to insecure configurations in their Knowledge Base articles. The most alarming finding was that approximately 60% of enterprise instances analyzed still have the outdated setting of allowing public access to their KB articles by default.
One of the key security properties highlighted in the study is the use of User Criteria to secure employee-created KB articles. According to ServiceNow, User Criteria is essential for denying access to KB articles unless specific user groups are granted permission. This feature was introduced in March 2020, but many enterprise instances have not updated their configurations to take advantage of this added layer of security.
Costello emphasized that even when User Criteria is properly configured, setting a simple ‘Can Contribute’ property on a KB article can inadvertently allow unauthenticated users to access insecure content. This oversight poses a serious risk to the confidentiality and integrity of sensitive information stored in these KB articles.
Moreover, Costello pointed out that the default User Criteria settings provided by ServiceNow can be misleading, particularly for administrators who may not be familiar with the nuances of these security features. While there is a clear ‘Guest User’ criteria for granting unauthenticated access, there are other criteria with less obvious names that can also inadvertently allow external users to read KB articles.
Another major issue identified in the study is the common practice of only setting allow-lists (‘Can Read’) in User Criteria, while neglecting the deny-lists (‘Cannot Read’). This oversight creates a vulnerability where external users can exploit gaps in the security configuration and gain unauthorized access to sensitive information.
The complexity of User Criteria settings in ServiceNow presents a significant challenge for administrators tasked with securing their organization’s KB articles. The potential for misconfiguration and oversight underscores the need for thorough training and ongoing monitoring to ensure that access controls are properly implemented and enforced.
In light of these findings, it is essential for organizations using ServiceNow to conduct a comprehensive review of their User Criteria settings and KB article permissions. By proactively addressing these security vulnerabilities, enterprises can better protect their sensitive data and mitigate the risk of unauthorized access.