-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2020-032
Product: Tableau Server
Manufacturer: Tableau Software, LLC, a Salesforce Company
Affected Version(s): 2019.4-2019.4.17, 2020.1-2020.1.13,
2020.2-2020.2.10, 2020.3-2020.3.6, 2020.4-2020.4.2
Tested Version(s): 2020.2.1 (20202.20.0525.1210) 64-bit Windows
Vulnerability Type: URL Redirection to Untrusted Site (CWE-601)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2020-07-29
Solution Date: 2021-03-23
Public Disclosure: 2021-03-23
CVE Reference: CVE-2021-1629
Author of Advisory: Dr. Vladimir Bostanov, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Tableau Server is an online data management, analysis, and visualization
platform.
The manufacturer describes the product as follows [1]:
"Tableau Server enables everyone in an organization to see and
understand data, with offerings for every user type."
Due to insufficient server-side validation of user input, Tableau
Server is vulnerable to URL redirection to untrusted site by the "Share
view" function. An authenticated attacker can replace the shared view's
URL by the URL of a malicious web page.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
A feature of the Tableau Server web application allows users to share
views with other users of the same Tableau site. Upon clicking on a
standard share icon, a dialog box appears in which the sharer can chose
an arbitrary number of recipients from a list of all users of the same
Tableau site. Upon clicking on the "Share" button in the dialog box,
the user client sends a POST request containing among other data the
recipients' user IDs and the shared resource's URL.
An attacker with access to a viewer account (no higher privileges are
needed for sharing a view) can send a "Share view" request, intercept
it, and replace the shared view's URL by the URL of a malicious web
page. Without sufficient validation of the relevant parameter, the
Tableau server sends to all specified recipients a trustworthy email
message including a Tableau logo and a PNG image of the shared view. A
victim who clicks on the image or on the "Go to View" button lands on
the malicious web page, because the value of the href attribute of the
underlying anchor element has been set to the URL specified by the
attacker.
Note that, technically, this is not an open redirect vulnerability,
because the victim's browser is directed to an untrusted location by an
email client or a web mail application, rather than being redirected by
the Tableau Server itself. The effect is, however, virtually the same,
because open redirect payloads are also usually delivered to victims
via email. Moreover, in the present case, the whole email message
including the sender (the Tableau server) is completely authentic --
except for the manipulated URL. Thus, it is much more trustworthy than,
e.g., an average phishing mail containing an open redirect link.
Note also that, if the malicious URL points to a fake copy of the
Tableau Server login page, landing on it would not raise the victim's
suspicion, since opening a Tableau view shared via email, indeed,
requires authentication. Thus, a phishing attack has a great chance of
success. The attacker needs, however, an access to a Tableau account.
Another important limitation is that the group of potential victims is
restricted to the users of the same Tableau site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
An authenticated attacker shares the view "Project/Topic" with two
other users of the same Tableau site "Site", one of them being the site
administrator (user ID: 1234).
The attacker's browser sends the following request to the Tableau Server
at https://target.host/ ([...] denotes abridged content):
POST /vizportal/api/web/v1/shareContent HTTP/1.1
Host: target.host
[...]
Referer: https://target.host/t/Site/views/Project/Topic?:embed=y&[...]
content-type: application/json
[...]
{
"method": "shareContent",
"params": {
"contentId": 45684,
"contentType": "view",
"recipients": [{
"type": "USER",
"id": "1234"
}, {
"type": "USER",
"id": "1238"
}],
"url": "https://target.host/t/Site/views/Project/Topic?:[...]",
"message": "Check this out!",
"shouldShareThumbnail": false
}
}
The attacker intercepts the request and replaces the view's URL:
https://target.host/t/Site/views/Project/Topic?:[...]
by the URL of a fake copy of the Tableau Server login page:
https://target.host.evil.me/#/signin/?redirect=[true view URL]
The victim receives a notification email from the Tableau Server
including an image of the shared view and a "Go to View" button, as
explained above. Upon clicking on one of these elements, the fake
Tableau Server login page is opened in the victim's browser. If the
victim does not notice the difference in the domain name, he/she fills
the login form with username and password, and presses the "Sing In"
button. The credentials are submitted to the attacker's server evil.me.
The attacker's sever-side script receives and stores the stolen
credentials and redirects the victim's browser back to the authentic
Tableau site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Upgrade Tableau Server to version 2019.4.18, 2020.1.14, 2020.2.11,
2020.3.7, 2020.4.3, or 2021.1.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2020-07-21: Vulnerability discovered
2020-07-29: Vulnerability reported to Tableau Security Team (TST)
2020-07-30: TST confirmed the vulnerability and asked for more time than
the usual 45 days [4] to fix it as well as for coordinated disclosure;
SySS GmbH agreed
2020-08-04: TST promised to acknowledge in their disclosure
Dr. Vladimir Bostanov of SySS GmbH as discoverer of the vulnerability
2020-11-19: Upon inquiry by SySS GmbH, TST asked for more time for
fixing the vulnerability
2021-02-11: Upon warning by SySS GmbH, TST quoted 2021-03-23 as a
tentative release date for the fixed versions and promised to inform
SySS GmbH by 2021-03-12, if the vulnerability fix would be included
in the March releases
2021-03-16: SySS GmbH asked TST about any news; TST did not answer
2021-03-18: SySS GmbH asked again, TST did not answer
2021-03-23: Upon third inquiry by SySS GmbH, TST asked SySS GmbH
to "have patience" and promised to "provide information soon"
2021-03-23: Salesforce disclosed the vulnerability WITHOUT
mentioning Dr. Vladimir Bostanov or SySS GmbH [3]; SySS GmbH was NOT
informed about the disclosure (but found out about it on 2021-04-06)
THE COORDINATED DISCLOSURE AGREEMENT HAS THUS BEEN
SERIOUSLY VIOLATED BY TABLEAU SECURITY TEAM AND SALESFORCE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for Tableau Server
https://www.tableau.com/products/server
[2] SySS Security Advisory SYSS-2020-032
Open Redirect in Tableau Server
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-032.txt
[3] Salesforce security advisory ADV-2021-010
Tableau Server Open Redirect
https://help.salesforce.com/articleView?id=000357424&type=1&mode=1
[4] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found
by Dr. Vladimir Bostanov of SySS GmbH.
E-Mail: vladimir.bostanov@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Vladimir_Bostanov.asc
Key ID: 0xA589542B
Key Fingerprint: 4989 C59F D54B E926 3A81 E37C A7A9 1848 A589 542B
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory
may be updated in order to provide as accurate information as possible.
The latest version of this security advisory is available on the
SySS GmbH web site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQJOBAEBCgA4FiEESYnFn9VL6SY6geN8p6kYSKWJVCsFAmBsc1kaHHZsYWRpbWly
LmJvc3Rhbm92QHN5c3MuZGUACgkQp6kYSKWJVCupLg//dqQyvQE6CDNWyWBl25tN
p7rp/cTdOnfKKovJYvfF4+aoDoiUZHTU5+hlK65uESjMngMazECU6+eDp3wtaaUs
bcp3MH0cdoDe/4xZGehm3x1VTA0+x9bY6Rn2e8IjEDn97/VTDp7ptUo0DrD4XSFY
OTCnRXCmoGIMUs/0LsHhXZvoHw0vcPWQ4L99+OoJowh1DKptD0jCGraMJUEfvLxC
LSe31HTwFW5VMN/tMMbJhCAgAsqJfdCXXAXX6k2K4RdOqCBuUl3pbdM21ZsR+wRb
ctICMhjWYffJuBaeN7Gt3QXY2x2EB9/lTEBFNAyJVIelXSjML7GhwiPfsaWG22HR
3wxp4YEFEylIz2Lz6oDvXFFZtS579j3toRkOucfL+9iskdfaGtCWRTRI9f4y4Jzp
ihffvze1Fosw4s6mJDygB69rIXupycTf0mKPGMnJIWHtNvsj5P1fC5uo7MhY905h
4h89kUC43cJQJvLAHfvvQvJTTflsI9C9HRrU1BSSRsqMrqRmEE9JrXU1xmkYP9Aq
3beHADPKrdEz54+CKn/voxErSq1WBiSV3Gk/U4zq7eaf5opnRTYpsjqJz885f7Ar
gzQA4H6WCz225m1bmU42p7C/EcLTY1G+Ki4n5rBoyC0cPOFQ3PbUMoqVWYa3pH8C
AmqiqkwOIwBKsTyIV+D5xJM=
=cToY
-----END PGP SIGNATURE-----