HC3 Details ServiceNow Cybersecurity Vulnerability, Potential Impacts on Healthcare

October 20, 2023 - A cybersecurity vulnerability in ServiceNow, a cloud computing platform, may allow unauthenticated users to extract data from records, a cybersecurity researcher discovered in mid-October. The Health Sector Cybersecurity Coordination Center (HC3) issued an analyst note on the matter to explore the risk as it relates to the healthcare sector.

Healthcare organizations utilize ServiceNow’s cloud computing capabilities to manage digital workflows and leverage its specialized service management software for healthcare and life sciences. In addition, organizations use the tool to manage digital transformation efforts relating to clinical device management.

Although threat actors have yet to exploit the vulnerability, HC3 stated that the “likelihood that it will be [exploited] is probable.”

“The cybersecurity researcher who made the discovery said that the built-in capability weak link is a misconfiguration in a component or widget in ServiceNow’s system called Simple List. This widget/component puts records into tables that are easily readable,” HC3 noted.

“The second cybersecurity company to confirm the vulnerability stated that the glitch has been around since the Simple List component was created in 2015.”

ServiceNow’s widgets were described as “incredibly powerful but often overlooked,” making it more likely that concerns surrounding them were diminished. Despite the vulnerability having been known to the vendor since 2015, it was not until 2023 that ServiceNow modified the feature to enhance security.

The analyst note stated:

“On March 3, 2023, the cybersecurity researcher noted that ServiceNow made an addition to Simple List to check if ‘public’ is checked off on the code. If it does not, access is denied. Within ServiceNow, resources that rely on ACLs for access control can cause a resource to be public through several ways. We know that one must satisfy the Role, Condition, and Scripted parts of an ACL. If public is not defined as a role on the ACL, an unauthenticated user might still pass the condition or scripted parts and thus be granted access. Even more likely is the ACL is entirely empty of a defined Role, Condition, or Script, allowing an unauthenticated user access to the resource.”

Due to its widespread use in healthcare, it is likely that the vulnerability information will be relevant to a variety of organizations. HC3 recommended that organizations mitigate risk by implementing IP restrictions for inbound traffic if feasible, and to disable public widgets.

Additionally, organizations may consider bolstering access control lists with carefully implemented plug-ins. Overall, organizations should be mindful of the potential impacts of a vulnerability exploitation and take steps to mitigate risk.