FortiGuard Outbreak Alert: ServiceNow Remote Code Execution Attack

nchow · ‎08-19-2024

Description

CVE-2024-4879 is a Jelly Template Injection Vulnerability in UI macros that could enable an unauthenticated user to remotely execute code within the context of the Now Platform.

CVE-2024-5178 is an Incomplete Input Validation in SecurelyAccess API. This vulnerability could allow an administrative user to gain unauthorized access to sensitive files on the web application server.

CVE-2024-5217 is an Incomplete Input Validation in GlideExpression Script. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform.

When these attacks chained together, it lead to Remote Code Execution and potential data breaches with unauthorized system access.

CVE ID   

CVE-2024-4879 (https://nvd.nist.gov/vuln/detail/CVE-2024-4879)
CVE-2024-5178 (https://nvd.nist.gov/vuln/detail/CVE-2024-5178)
CVE-2014-5217 (https://nvd.nist.gov/vuln/detail/CVE-2014-5217)

NDR Cloud Detection Rule

FortiNDR Cloud v2024.8+

Detection Rule Name	Category	Primary MITRE ID
FortiGuard Outbreak Alert: ServiceNow Input Validation RCE - CVE-2024-4879	Attack: Exploitation	T1190 - Exploit Public-Facing Application

Playbook

N/A

Threat hunting

N/A

Suricata Coverage

N/A

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to
https://www.fortiguard.com/outbreak-alert/servicenow-rce