CVE-2021-45901 in ServiceNow
Summary
by MITRE • 02/10/2022
The password-reset form in ServiceNow Orlando provides different responses to invalid authentication attempts depending on whether the username exists.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/29/2024
The vulnerability identified as CVE-2021-45901 resides within the password reset functionality of ServiceNow Orlando, a widely deployed enterprise service management platform. This issue represents a classic timing attack vector that exploits information leakage through differential response behavior, fundamentally undermining the security of the authentication system. The flaw manifests when users attempt to reset passwords through the designated form, where the system provides distinct response messages based on whether the target username exists in the directory. This behavior creates a clear signal that can be exploited by malicious actors to enumerate valid user accounts within the system.
The technical implementation of this vulnerability stems from the service now platform's authentication handling mechanism, where the password reset form performs a check against user existence before generating the response. When a user enters a username that does not exist, the system returns one type of response message, while valid usernames trigger a different response pattern. This differential treatment violates fundamental security principles that require authentication systems to provide consistent responses regardless of the input validity. The vulnerability directly maps to CWE-204, which addresses information exposure through response differences, and aligns with ATT&CK technique T1589.002 for credential access through account enumeration.
From an operational impact perspective, this vulnerability enables attackers to conduct systematic user enumeration attacks against ServiceNow instances. Security researchers and malicious actors can leverage this weakness to identify valid user accounts by observing the system's response patterns during password reset attempts. The implications extend beyond simple account discovery, as successful enumeration can facilitate subsequent attacks including brute force attempts, credential stuffing, or social engineering campaigns targeting specific users. Organizations utilizing ServiceNow Orlando may experience unauthorized access attempts, increased attack surface, and potential data breaches if this vulnerability remains unaddressed.
The mitigation strategy for CVE-2021-45901 requires immediate implementation of consistent response handling across all authentication pathways. Organizations should ensure that password reset forms provide identical response messages regardless of whether the username exists in the system. This approach aligns with the principle of least information disclosure, where authentication systems should not reveal information about account validity to prevent enumeration attacks. Security teams should also implement rate limiting and account lockout mechanisms to further reduce the effectiveness of automated enumeration attempts. Additionally, regular security assessments should verify that similar information leakage vulnerabilities do not exist in other authentication components within the ServiceNow environment, as this represents a systemic security weakness that could affect other user-facing authentication interfaces.