DIVD-2024-00033 - ServiceNow - unauthenticated remote code execution (RCE)
| Our reference | DIVD-2024-00033 |
| Case lead | Alwin Warringa |
| Researcher(s) |
|
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Install a patched version of ServiceNow |
| Patch status | Released |
| Workaround | No workaround available |
| Status | Closed |
| Last modified | 18 Sep 2024 20:38 CEST |
Summary
ServiceNow has addressed an input validation vulnerability identified in Utah, Vancouver, and Washington DC ServiceNow Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances and released the update to service partners and customers running a self-hosted version.
Recommendations
ServiceNow released several patched versions. We suggest you update one of the mentioned versions (or better) as soon as possible.
What we are doing
DIVD is currently working to identify parties that are running a vulnerable version of ServiceNow and to notify these parties. We do this by verifying the presence of the vulnerability in a harmless manner and collect the software version number if possible.
Timeline
| Date | Description |
|---|---|
| 13 Jul 2024 | DIVD starts researching the vulnerability. |
| 13 Jul 2024 | DIVD finds fingerprint, preparing to scan. |
| 17 Jul 2024 | DIVD starts scanning the internet for vulnerable instances. |
| 17 Jul 2024 | DIVD starts notifying network owners with a vulnerable instance in their network. |
| 18 Sep 2024 | DIVD sent out a second round of notifications. |
| 18 Sep 2024 | Case closed. |
More information
- CVE-2024-4879
- CVE-2024-5178
- CVE-2024-5217
- Assetnote vulnerability research
- ServiceNow security advisory)