On October 19th, 2023 several online resources publicized a potential attack vector through which data from some ServiceNow tables can be exposed to unauthenticated users.
Description and Potential Impact
For data that was meant to be kept private to be exposed to unauthenticated users, all the following factors need to occur simultaneously:
1 – You have deployed a Widget Instance based on the SimpleListWidget portal (or on a clone of the out-of-the-box widget that you have created), in a portal page with public visibility
2 – There exist tables in your instance with an empty ACL. An empty ACL is an ACL that specifies no conditions, no roles (or only the public role), and performs no validations in the script field.
If this is the case, an attacker could potentially modify the context in which the SimpleListWidget works to connect it to the table with an empty ACL. The widget would then expose the data from that table.
Workaround / Remediation
1 – Identify any public SimpleListWidget and change its visibility to non-public – OR
2 – Remove the widget from all public pages
3 – Make sure that no tables in your instance that you do not want to expose to unauthenticated users have an empty ACL.
Note that performing all the steps above will remove all access to all tables to any unauthenticated user. If there is information that you need to expose to unauthenticated users, you need to either ensure that no other tables or dictionaries in your instance have an empty ACL, or use a different Widget type to expose this data. The use of incoming IP address filters is also recommended to reduce exposure of instance data to known, trusted IP addresses.
How can Quality Clouds Help?
Quality Clouds already lists all public portal widgets in your instance. You should review that list and ensure that any public widget of type SimpleListWidget, is changed to have non-public visibility.
Unfortunately, because this vulnerability affects Out-of-the-Box elements, and Quality Clouds only includes added or modified Configuration Elements in its analysis, it is not possible to identify all tables with empty ACLs from the existing scan data.
In the interest of contributing to minimizing the possible impact of this potential data breach in the ServiceNow community, we have made available to the community an Update Set that contains a Fix Script which will look for and report the name and sys_ids of any Empty ACLs. The Update Set is available here.
For more information, the official ServiceNow support article about this issue is available here.