ServiceNow ACL Misconfiguration FAQ

What is the ServiceNow Access Control List (ACL) misconfiguration?

As part of the AO Labs team’s ongoing security research into the ServiceNow platform, AppOmni Offensive Security Engineer Aaron Costello discovered external interfaces exposed to the public that may be utilized by a malicious actor to extract data from records. AppOmni’s analysis of ServiceNow instances showed that nearly 70% of tested instances are vulnerable to this misconfiguration, which could allow an unauthenticated user to extract sensitive data, including Personal Identifiable Information (PII). 

How does the ServiceNow ACL misconfiguration happen?

There are many legitimate reasons why a company may use their SaaS platforms as a delivery vehicle for public content such as forums, online shops, customer support sites, and knowledge bases. SaaS platforms like ServiceNow are complex and highly configurable. Along with this incredible flexibility comes the ability to inadvertently expose data that isn’t intended to be shared. That makes it common for organizations to have system configurations that don’t match their business intent, such as over provisioning Guest users in this ServiceNow ACL misconfiguration. Customers are responsible for configuring their SaaS platforms and ACLs are commonly misconfigured. 

How can I check if my ServiceNow instance has this ACL misconfiguration?

AppOmni has released a web application to evaluate ServiceNow instances for public data exposure through the ACL misconfiguration. You can request a SaaS Security Analyzer evaluation for your ServiceNow instance. 

What type of information is requested in the evaluation?

The types of information requested are high confidence indicators of Personal Identifiable Information (PII), such as First Name, Last Name, email address, etc. but we do not receive the actual data. No data is released in our evaluation with the SaaS Security Analyzer. 

Why does this involve only a limited subset of possible data exposures?

The SaaS Security Analyzer is evaluating only one table out of the thousands commonly used in ServiceNow. This table, along with many others, contains Personal Identifiable Information (PII). The exposure of this data is not intentional and can have negative ramifications for both the organization and the individuals whose data is exposed. That’s one of the reasons AO Labs conducts research like this: to educate organizations about potential misconfigurations and other security issues so they can take action. The SaaS Security Analyzer does not evaluate a complete ServiceNow instance — a more comprehensive evaluation is required to determine if data is at risk.

My portal uses 2FA so how would AppOmni be able to access this information to evaluate?

Authentication isn’t a consideration when talking about this particular exposed external interface and misconfiguration. Since the Guest user does not need to authenticate to the ServiceNow instance, 2FA doesn’t provide any additional protection. With this misconfiguration, the external interface exposes data to anonymous users/the Internet — not to authenticated users.

My data is encrypted at rest. Would it still be exposed?

Yes. Vendor provided disk-level or database-level encryption does not prevent this category of data exposure. If either Edge or Column-Level Encryption (CLE) have been implemented for this particular resource, unauthenticated users will not be able to access data within restricted fields unless their role has been explicitly associated with the field’s encryption context.

What can I do to remediate the ServiceNow ACL misconfiguration?

Be aware: because there are valid reasons for the ACL configuration, disabling the setting as a “fix” is not recommended, as it could break functionality. AO Labs researchers have developed recommended steps ServiceNow administrators can take to remediate this ACL misconfiguration if it does not match their business intent.

Administrators should perform the following checks on a regular basis to ensure that access to sensitive information is not being provisioned to external unauthenticated users.

  1. Review ACLs that are absent of conditional and script based access evaluation, which have either no role, or the public role, assigned to them.
  2. Review User Criteria (UC) and the resources to which those criteria are granting access. In particular, focus on any UC in which the ‘Guest’ user is assigned to or contains the ‘public’ role. This includes the ‘Any User’ and ‘Guest’ built-in UCs.
  3. Review resources that can be directly assigned the ‘public’ role to grant access, or indirectly made accessible to the public through another mechanism (such as publishing a report).
  4. Review System Properties that may dictate access to records through a provided role or list of roles.

These instructions and another option to remediate this ACL misconfiguration can be found in the AO Labs technical paper: “AppOmni Research Discovers Major Security Misconfiguration Impacting ServiceNow and Other SaaS Instances.” 

How can I avoid ServiceNow misconfigurations like this in the future?

AppOmni’s security experts recommend that the security or IT teams responsible for managing SaaS applications at their organization conduct regular evaluations of their SaaS environments. That’s especially important to do when a SaaS platform releases an update, as changes could impact your security posture. The best way to avoid misconfigurations is to implement continuous monitoring of your SaaS ecosystem.

If you’re interested in learning more or have questions about the SaaS Security Analyzer, please email [email protected] and we’ll respond in a timely manner.


AppOmni’s SaaS security management platform gives security and IT teams an easy and automated way to secure their SaaS data and environments.