GreyNoise, a threat intelligence firm, has issued a warning about the increased malicious activity targeting three known vulnerabilities in ServiceNow, a popular cloud-based platform used by organizations for workflow management. These vulnerabilities, identified as CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, were initially disclosed by security researcher Adam Kues on May 14, 2024, and promptly patched by ServiceNow on the same day.
Despite the availability of patches, GreyNoise has observed a resurgence in attacks aimed at exploiting these flaws. The firm detected a significant number of unique IP addresses involved in these attacks, with 36 threat IPs targeting CVE-2024-5178 and 48 threat IPs each targeting CVE-2024-4879 and CVE-2024-5217 within a 24-hour period.
The geographical distribution of the malicious activities has been primarily focused on systems in Israel, with a smaller number of attacks detected in Lithuania, Japan, and Germany. This concentration of attacks in specific regions raises concerns about a potential targeted campaign against ServiceNow users.
CVE-2024-4879 is a template injection vulnerability that could allow attackers to inject malicious code into ServiceNow templates, potentially leading to remote code execution and server compromise. CVE-2024-5217 and CVE-2024-5178 involve input validation errors that could be exploited to manipulate data and bypass security controls, posing a significant security risk to organizations using ServiceNow to manage sensitive information.
While ServiceNow has stated that they have not observed any customer impact from coordinated attack campaigns, organizations are advised to take immediate action to protect their systems. This includes applying the latest security patches, restricting access to management interfaces, and monitoring for suspicious activities.
Aaron Costello, chief of SaaS security research at AppOmni, highlighted the severity of the vulnerability, especially for on-premise ServiceNow systems that may not have updated security patches. He emphasized the importance of staying current with security updates, particularly for on-premise SaaS software, and implementing IP address access controls to prevent exploitation of these vulnerabilities.
In conclusion, the increased exploitation of vulnerabilities in ServiceNow underscores the ongoing threat posed by cyber attackers and the importance of maintaining robust security measures to protect sensitive data and systems from potential compromises. Organizations using ServiceNow should prioritize security updates and best practices to mitigate the risks associated with these known vulnerabilities.