ServiceNow Vulnerabilities: CVE-2024-4789 and CVE-2024-5217

In late July 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) added two critical vulnerabilities (CVE-2024-4789 and CVE-2024-5217) affecting ServiceNow to its list of known exploited vulnerabilities. These vulnerabilities can allow unauthenticated users to execute code remotely, posing severe risks to organizations that use the platform. The potential for unauthorized access and severe data breaches makes addressing these vulnerabilities crucial.

Understanding CVE-2024-4789 and CVE-2024-5217

CVE-2024-4789 and CVE-2024-5217 are vulnerabilities in the ServiceNow platform, both with critical Common Vulnerability Scoring System (CVSS) scores of 9.3 and 9.2, respectively. CVE-2024-4789 is due to improper input validation, while CVE-2024-5217 involves an incomplete list of disallowed inputs. Exploiting these vulnerabilities could allow attackers to bypass security mechanisms, execute remote code, and even gain unauthorized administrative privileges, potentially leading to a complete server takeover.

ServiceNow identified weakness enumeration CWE-2187 in vulnerability CVE-2024-4789 and CWE-184 in vulnerability CVE-2024-5217. The National Institute of Standards and Technology (NIST) also identified weakness enumeration CWE-697 in vulnerability CVE-2024-5217 and is still conducting analysis for an additional, unnamed CWE in vulnerability CVE-2024-4789. 

Why addressing these vulnerabilities matters

Failure to address these vulnerabilities could lead to severe consequences, including data breaches, service disruptions, or total loss of control over your IT infrastructure. As attackers can leverage these vulnerabilities to impersonate authenticated users, organizations must act swiftly to mitigate the risks associated with CVE-2024-4789 and CVE-2024-5217.

What to do next: assess and mitigate risks

Step 1: See if you’re affected

‍

• Check your internal systems: UpGuard Breach Risk automatically detects CVE-2024-4789 and CVE-2024-5217 across your internal IT infrastructure. Navigate to your detected vulnerabilities feed within Breach Risk and search for each CVE to determine if your systems are affected.

• Check your vendors: Assess your vendor ecosystem's exposure using UpGuard Vendor Risk. Go to the Portfolio Risk Profile and search for CVE-2024-4789 and CVE-2024-5217 to see if any of your vendors are impacted. If a vendor is at risk, you can send a remediation request directly through UpGuard to initiate a response.

Step 2: If you’re affected, take immediate action

• Ensure ServiceNow is updated: Make sure you are using the latest version of ServiceNow (the "Washington DC" release from Q2 2024). Check for and apply relevant security patches and hotfixes from the National Vulnerability Database.
• Mitigate risk across your ecosystem: Evaluate risk exposure not just within your organization but also across third and fourth-party vendors. If any vulnerabilities are detected, take prompt steps to mitigate them, such as removing the vulnerable version, applying patches, or changing configurations to minimize risk.

If you or one of your vendors uses ServiceNow, you should ensure you’re using the latest version and then prepare to carry out the next steps around risk mitigation and incident response. If you detect a vendor at risk of either of these vulnerabilities, you can send a remediation request directly within UpGuard, allowing the technology owner to understand the tool's current state and the necessary steps to achieve comprehensive remediation. 

Detecting vulnerabilities with UpGuard

UpGuard’s vulnerabilities module helps you mitigate security threats proactively by automatically detecting risks across your internal infrastructure from exposed information in your HTTP headers, website content, open ports, and other common attack vectors. With our third-party monitoring feature, you’ll also be able to identify potential risks and known vulnerabilities across your vendor network.

UpGuard provides a comprehensive approach to vulnerability scanning and continuous security monitoring by automatically detecting risks across your internal infrastructure and across your vendor ecosystem:

• Attack surface monitoring: UpGuard Breach Risk helps you detect critical vulnerabilities like CVE-2024-4789 and CVE-2024-5217 across your internal attack surface, ensuring swift identification and remediation.
• Continuous security monitoring: With UpGuard Vendor Risk, you can monitor your vendors’ exposure to these vulnerabilities and take corrective action. This proactive approach helps you ensure that both you and your vendors maintain a secure and resilient infrastructure.