www.belgium.be Logo of the federal government

WARNING: CRITICAL VULNERABILITY IN SERVICENOW COULD LEAD TO REMOTE CODE EXECUTION

Reference: 
Advisory #2024-254
Version: 
1.0
Affected software: 
ServiceNow Now Platform
Type: 
Remote code execution
CVE/CVSS: 

CVE-2024-8923
CVSS 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

Sources

Risks

On 29 October 2024, ServiceNow published an advisory addressing a critical vulnerability in the Now Platform. An unauthenticated user could exploit this vulnerability to execute code remotely.

ServiceNow’s Now Platform is a popular platform, widely used across the globe. Customers of ServiceNow may choose ServiceNow’s cloud offering, which makes these instances attractive targets as they may host sensitive data and are externally accessible.

There is no information as to active exploitation at this time (cut-off date: 30 October 2024).

Exploitation of this vulnerability can have a high impact on confidentiality, integrity and availability.

Description

CVE-2024-8923 is an input validation vulnerability present in the Now Platform releases prior to Xanadu General Availability. Successful exploitation of this vulnerability would enable an unauthenticated user to remotely execute code within the context of the Now Platform.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

ServiceNow urges customers to implement the newest version as soon as possible. Patches have been released since August 2024 for the following versions:

  • For release Xanadu: the fixed version can be found in the Xanada GA Release
  • For release Washington DC: the fixed versions can be found in Washington DC Patch 4 Hot Fix 1a and Washington DC Patch 5
  • For release Vancouver: the fixed versions can be found in Vancouver Patch 9 Hot Fix 2a and Vancouver Patch 10

 

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References