CVE-2022-43684
CVE-2022-43684
9.9
CriticalPublished:
Last updated:
Source:psirt@servicenow.com
Modified
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- None
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
ServiceNow has released patches and an upgrade that address an Access Control List (ACL) bypass issue in ServiceNow Core functionality. Additional Details This issue is present in the following supported ServiceNow releases: * Quebec prior to Patch 10 Hot Fix 8b * Rome prior to Patch 10 Hot Fix 1 * San Diego prior to Patch 7 * Tokyo prior to Tokyo Patch 1; and * Utah prior to Utah General Availability If this ACL bypass issue were to be successfully exploited, it potentially could allow an authenticated user to obtain sensitive information from tables missing authorization controls.
Comprehensive Technical Analysis of CVE-2022-43684 (ServiceNow ACL Bypass Vulnerability)
1. Vulnerability Assessment and Severity Evaluation
CVE ID: CVE-2022-43684 CVSS Score: 9.9 (Critical) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Vulnerability Type: Access Control List (ACL) Bypass (Insecure Direct Object Reference - IDOR) Impact: Privilege Escalation, Unauthorized Data Access, Potential Full System Compromise
Severity Breakdown:
- Attack Vector (AV:N): Exploitable remotely over the network.
- Attack Complexity (AC:L): Low complexity; no specialized conditions required.
- Privileges Required (PR:L): Low privileges (authenticated user with basic access).
- User Interaction (UI:N): No user interaction needed.
- Scope (S:C): Changes scope (impacts components beyond the vulnerable system).
- Confidentiality (C:H): High impact; sensitive data exposure.
- Integrity (I:H): High impact; unauthorized modifications possible.
- Availability (A:H): High impact; potential denial-of-service or system takeover.
This vulnerability is critical due to its low exploitation complexity, high impact on confidentiality and integrity, and the potential for full administrative compromise of ServiceNow instances.
2. Potential Attack Vectors and Exploitation Methods
Root Cause:
The vulnerability stems from improper ACL enforcement in ServiceNow’s core functionality, allowing authenticated users to bypass access controls on tables that should require elevated permissions. This is likely due to:
- Insufficient validation of user permissions when accessing restricted tables.
- Misconfigured or missing ACL rules on sensitive tables.
- Improper handling of direct object references (e.g., via API calls or UI interactions).
Exploitation Methods:
A. Direct Table Access via API or UI
- An attacker with low-privileged access (e.g.,
itiloruser_adminrole) can craft malicious API requests (REST/SOAP) or manipulate UI parameters to access restricted tables. - Example:
GET /api/now/table/[restricted_table]?sysparm_query=active=true- If ACLs are bypassed, the attacker retrieves sensitive data (e.g.,
sys_user,sys_user_group,sys_dictionary).
- If ACLs are bypassed, the attacker retrieves sensitive data (e.g.,
B. Privilege Escalation to Admin
- By accessing system tables (e.g.,
sys_user_role,sys_user_has_role), an attacker can:- Modify their own role assignments to gain administrative privileges.
- Create new admin users or escalate existing low-privileged accounts.
- Example:
POST /api/now/table/sys_user_has_role { "user": "[attacker_user_sys_id]", "role": "[admin_role_sys_id]" }
C. Data Exfiltration & System Compromise
- Once ACLs are bypassed, an attacker can:
- Dump sensitive data (e.g., user credentials, PII, configuration secrets).
- Modify workflows, scripts, or business rules to maintain persistence.
- Execute arbitrary code via ServiceNow Script Includes or Business Rules.
D. Chaining with Other Vulnerabilities
- If combined with CVE-2023-34248 (another ServiceNow vulnerability), an attacker could achieve unauthenticated remote code execution (RCE).
3. Affected Systems and Software Versions
The vulnerability affects all supported ServiceNow releases prior to the following patched versions:
| ServiceNow Release | Vulnerable Versions | Patched Version |
|---|---|---|
| Quebec | < Quebec Patch 10 HF8b | Quebec Patch 10 HF8b |
| Rome | < Rome Patch 10 HF1 | Rome Patch 10 HF1 |
| San Diego | < San Diego Patch 7 | San Diego Patch 7 |
| Tokyo | < Tokyo Patch 1 | Tokyo Patch 1 |
| Utah | < Utah GA | Utah GA |
Note:
- Unsupported versions (e.g., older than Quebec) are highly likely to be vulnerable but not officially patched.
- Custom ACL configurations may exacerbate or mitigate the issue.
4. Recommended Mitigation Strategies
A. Immediate Actions (Patch Management)
- Apply the latest patches from ServiceNow:
- ServiceNow Security Advisory (KB1303489)
- Upgrade to the latest stable release (Utah or Tokyo Patch 1+).
- Verify patch installation via:
SELECT * FROM sys_update_version WHERE name LIKE '%CVE-2022-43684%';
B. Workarounds (If Patching is Delayed)
- Restrict Access to Sensitive Tables:
- Manually enforce ACLs on critical tables (e.g.,
sys_user,sys_user_role). - Example ACL rule:
(function executeRule(current, previous) { if (gs.getUser().hasRole('admin')) { return true; } return false; })(current, previous);
- Manually enforce ACLs on critical tables (e.g.,
- Disable Unnecessary API Access:
- Restrict REST/SOAP API access to trusted IPs via IP Access Controls.
- Monitor for Suspicious Activity:
- Enable audit logging for sensitive tables:
UPDATE sys_properties SET value = 'true' WHERE name = 'glide.security.audit.log.enabled'; - Set up SIEM alerts for unusual table access patterns.
- Enable audit logging for sensitive tables:
C. Long-Term Hardening
- Implement Least Privilege:
- Review and restrict user roles to minimize unnecessary access.
- Use ServiceNow’s Role-Based Access Control (RBAC) effectively.
- Enable Multi-Factor Authentication (MFA):
- Enforce MFA for all administrative accounts.
- Conduct Regular Security Assessments:
- Penetration testing to identify misconfigured ACLs.
- Automated scanning (e.g., ServiceNow’s Security Operations module).
5. Impact on the Cybersecurity Landscape
A. Enterprise Risk Exposure
- ServiceNow is widely used in ITSM, HR, and security operations, making this a high-value target.
- Exploitation could lead to:
- Data breaches (PII, financial records, intellectual property).
- Supply chain attacks (if ServiceNow integrates with other systems).
- Ransomware deployment (via persistence mechanisms).
B. Threat Actor Interest
- APT groups (e.g., state-sponsored actors) may exploit this for espionage.
- Cybercriminals could use it for financial fraud or extortion.
- Insider threats (disgruntled employees) may abuse this for data theft.
C. Industry-Wide Implications
- Increased scrutiny on SaaS security (ServiceNow is a major player in cloud-based ITSM).
- Regulatory compliance risks (GDPR, HIPAA, SOX) if sensitive data is exposed.
- Reputation damage for organizations failing to patch promptly.
6. Technical Details for Security Professionals
A. Vulnerability Mechanics
- ACL Bypass via Direct Object Reference:
- ServiceNow uses sys_id (unique identifiers) for table records.
- If ACLs are not properly enforced, an attacker can guess or brute-force sys_ids to access restricted data.
- Exploitation via REST API:
- Example attack payload:
GET /api/now/table/sys_user?sysparm_query=active=true&sysparm_fields=user_name,email,roles - If ACLs are bypassed, this returns all user records, including admins.
- Example attack payload:
- Privilege Escalation via Role Manipulation:
- An attacker can modify their own role by:
POST /api/now/table/sys_user_has_role { "user": "attacker_sys_id", "role": "admin_sys_id" }
- An attacker can modify their own role by:
B. Detection & Forensics
- Log Analysis:
- Check
sys_auditandsyslogfor unusual table access:SELECT * FROM sys_audit WHERE table_name = 'sys_user' AND created_by != 'admin';
- Check
- SIEM Rules:
- Alert on multiple failed ACL checks followed by successful access.
- Monitor for unexpected role assignments (e.g.,
itil→admin).
- Memory Forensics (Post-Exploitation):
- Check ServiceNow logs (
/var/log/servicenow/) for:- Unusual API calls.
- Script execution (e.g.,
Script Includesmodifications).
- Check ServiceNow logs (
C. Proof-of-Concept (PoC) Considerations
- Publicly available PoCs (e.g., x64.sh) demonstrate:
- Full admin compromise via ACL bypass.
- Data exfiltration from restricted tables.
- Security teams should:
- Test in a non-production environment before patching.
- Verify patch effectiveness by attempting exploitation.
Conclusion & Recommendations
CVE-2022-43684 is a critical ACL bypass vulnerability that allows low-privileged users to escalate to full administrative control of ServiceNow instances. Given its CVSS 9.9 score and ease of exploitation, organizations must:
- Patch immediately (prioritize ServiceNow updates).
- Enforce least privilege and monitor for suspicious activity.
- Conduct a post-patch security assessment to ensure no residual exposure.
Failure to mitigate this vulnerability could result in severe data breaches, regulatory penalties, and operational disruption.
Further Reading:
Security teams should treat this as a top-priority remediation effort.
References
psirt@servicenow.com
http://packetstormsecurity.com/files/173354/ServiceNow-Insecure-Access-Control-Full-Admin-Compromise.htmlpsirt@servicenow.com
http://seclists.org/fulldisclosure/2023/Jul/11psirt@servicenow.com
https://news.ycombinator.com/item?id=36638530psirt@servicenow.com
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1303489psirt@servicenow.com
https://x64.sh/posts/ServiceNow-Insecure-access-control-to-admin/af854a3a-2127-422b-91ae-364da2661108
http://packetstormsecurity.com/files/173354/ServiceNow-Insecure-Access-Control-Full-Admin-Compromise.htmlaf854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2023/Jul/11af854a3a-2127-422b-91ae-364da2661108
https://news.ycombinator.com/item?id=36638530af854a3a-2127-422b-91ae-364da2661108
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1303489af854a3a-2127-422b-91ae-364da2661108
https://x64.sh/posts/ServiceNow-Insecure-access-control-to-admin/