A harmful vulnerability in ServiceNow’s Now Help AI platform permits attackers to execute second-order immediate injection assaults through default agent configuration settings.
The flaw allows unauthorized actions, together with knowledge theft, privilege escalation, and exfiltration of exterior e mail, even with ServiceNow’s built-in immediate injection safety enabled.
The vulnerability stems from three default configurations that, when mixed, create a harmful assault floor. ServiceNow Help brokers are routinely assigned to the identical staff and marked as discoverable by default.
This allows inter-agent communication by the AiA ReAct Engine and Orchestrator parts, which handle data stream and process delegation between brokers.
ServiceNow AI Immediate Injection Assaults
Attackers exploit this by injecting malicious prompts into knowledge fields that different brokers will learn when a secure agent encounters the compromised knowledge.
It may be tricked into recruiting extra highly effective brokers to execute unauthorized duties on behalf of the extremely privileged person who triggered the preliminary interplay.
In proof-of-concept demonstrations, Appomni researchers efficiently carried out Create, Learn, Replace, and Delete (CRUD) operations.
On delicate information and despatched exterior emails containing confidential knowledge, all whereas avoiding current safety protections.
The assault succeeds primarily as a result of brokers execute with the privileges of the person who initiated the interplay, not the person who inserted the malicious immediate.
A low-privileged attacker can due to this fact leverage administrative brokers to bypass entry controls and entry knowledge they might in any other case be unable to succeed in.
Appomni advises organizations utilizing ServiceNow to right away implement these protecting measures: Allow Supervised Execution Mode: Configure highly effective brokers performing CRUD operations or e mail sending to require human approval earlier than executing actions.
Disable Autonomous Overrides: Make sure the sn_aia.The enable_usecase_tool_execution_mode_override system property stays set to false.
Section Agent Groups: Separate brokers into distinct groups primarily based on operate, stopping low-privilege brokers from accessing highly effective ones.
Monitor Agent Habits: Deploy real-time monitoring options to detect suspicious agent interactions and deviations from anticipated workflows.
ServiceNow confirmed that these behaviors align with the supposed performance however up to date the documentation to make clear configuration dangers. Safety groups should prioritize auditing their AI agent deployments instantly to forestall exploitation of those default settings.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
