-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2020-032 Product: Tableau Server Manufacturer: Tableau Software, LLC, a Salesforce Company Affected Version(s): 2019.4-2019.4.17, 2020.1-2020.1.13, 2020.2-2020.2.10, 2020.3-2020.3.6, 2020.4-2020.4.2 Tested Version(s): 2020.2.1 (20202.20.0525.1210) 64-bit Windows Vulnerability Type: URL Redirection to Untrusted Site (CWE-601) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2020-07-29 Solution Date: 2021-03-23 Public Disclosure: 2021-03-23 CVE Reference: CVE-2021-1629 Author of Advisory: Dr. Vladimir Bostanov, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Tableau Server is an online data management, analysis, and visualization platform. The manufacturer describes the product as follows [1]: "Tableau Server enables everyone in an organization to see and understand data, with offerings for every user type." Due to insufficient server-side validation of user input, Tableau Server is vulnerable to URL redirection to untrusted site by the "Share view" function. An authenticated attacker can replace the shared view's URL by the URL of a malicious web page. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: A feature of the Tableau Server web application allows users to share views with other users of the same Tableau site. Upon clicking on a standard share icon, a dialog box appears in which the sharer can chose an arbitrary number of recipients from a list of all users of the same Tableau site. Upon clicking on the "Share" button in the dialog box, the user client sends a POST request containing among other data the recipients' user IDs and the shared resource's URL. An attacker with access to a viewer account (no higher privileges are needed for sharing a view) can send a "Share view" request, intercept it, and replace the shared view's URL by the URL of a malicious web page. Without sufficient validation of the relevant parameter, the Tableau server sends to all specified recipients a trustworthy email message including a Tableau logo and a PNG image of the shared view. A victim who clicks on the image or on the "Go to View" button lands on the malicious web page, because the value of the href attribute of the underlying anchor element has been set to the URL specified by the attacker. Note that, technically, this is not an open redirect vulnerability, because the victim's browser is directed to an untrusted location by an email client or a web mail application, rather than being redirected by the Tableau Server itself. The effect is, however, virtually the same, because open redirect payloads are also usually delivered to victims via email. Moreover, in the present case, the whole email message including the sender (the Tableau server) is completely authentic -- except for the manipulated URL. Thus, it is much more trustworthy than, e.g., an average phishing mail containing an open redirect link. Note also that, if the malicious URL points to a fake copy of the Tableau Server login page, landing on it would not raise the victim's suspicion, since opening a Tableau view shared via email, indeed, requires authentication. Thus, a phishing attack has a great chance of success. The attacker needs, however, an access to a Tableau account. Another important limitation is that the group of potential victims is restricted to the users of the same Tableau site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): An authenticated attacker shares the view "Project/Topic" with two other users of the same Tableau site "Site", one of them being the site administrator (user ID: 1234). The attacker's browser sends the following request to the Tableau Server at https://target.host/ ([...] denotes abridged content): POST /vizportal/api/web/v1/shareContent HTTP/1.1 Host: target.host [...] Referer: https://target.host/t/Site/views/Project/Topic?:embed=y&[...] content-type: application/json [...] { "method": "shareContent", "params": { "contentId": 45684, "contentType": "view", "recipients": [{ "type": "USER", "id": "1234" }, { "type": "USER", "id": "1238" }], "url": "https://target.host/t/Site/views/Project/Topic?:[...]", "message": "Check this out!", "shouldShareThumbnail": false } } The attacker intercepts the request and replaces the view's URL: https://target.host/t/Site/views/Project/Topic?:[...] by the URL of a fake copy of the Tableau Server login page: https://target.host.evil.me/#/signin/?redirect=[true view URL] The victim receives a notification email from the Tableau Server including an image of the shared view and a "Go to View" button, as explained above. Upon clicking on one of these elements, the fake Tableau Server login page is opened in the victim's browser. If the victim does not notice the difference in the domain name, he/she fills the login form with username and password, and presses the "Sing In" button. The credentials are submitted to the attacker's server evil.me. The attacker's sever-side script receives and stores the stolen credentials and redirects the victim's browser back to the authentic Tableau site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Upgrade Tableau Server to version 2019.4.18, 2020.1.14, 2020.2.11, 2020.3.7, 2020.4.3, or 2021.1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-07-21: Vulnerability discovered 2020-07-29: Vulnerability reported to Tableau Security Team (TST) 2020-07-30: TST confirmed the vulnerability and asked for more time than the usual 45 days [4] to fix it as well as for coordinated disclosure; SySS GmbH agreed 2020-08-04: TST promised to acknowledge in their disclosure Dr. Vladimir Bostanov of SySS GmbH as discoverer of the vulnerability 2020-11-19: Upon inquiry by SySS GmbH, TST asked for more time for fixing the vulnerability 2021-02-11: Upon warning by SySS GmbH, TST quoted 2021-03-23 as a tentative release date for the fixed versions and promised to inform SySS GmbH by 2021-03-12, if the vulnerability fix would be included in the March releases 2021-03-16: SySS GmbH asked TST about any news; TST did not answer 2021-03-18: SySS GmbH asked again, TST did not answer 2021-03-23: Upon third inquiry by SySS GmbH, TST asked SySS GmbH to "have patience" and promised to "provide information soon" 2021-03-23: Salesforce disclosed the vulnerability WITHOUT mentioning Dr. Vladimir Bostanov or SySS GmbH [3]; SySS GmbH was NOT informed about the disclosure (but found out about it on 2021-04-06) THE COORDINATED DISCLOSURE AGREEMENT HAS THUS BEEN SERIOUSLY VIOLATED BY TABLEAU SECURITY TEAM AND SALESFORCE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Tableau Server https://www.tableau.com/products/server [2] SySS Security Advisory SYSS-2020-032 Open Redirect in Tableau Server https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-032.txt [3] Salesforce security advisory ADV-2021-010 Tableau Server Open Redirect https://help.salesforce.com/articleView?id=000357424&type=1&mode=1 [4] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Vladimir Bostanov of SySS GmbH. E-Mail: vladimir.bostanov@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Vladimir_Bostanov.asc Key ID: 0xA589542B Key Fingerprint: 4989 C59F D54B E926 3A81 E37C A7A9 1848 A589 542B ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS GmbH web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQJOBAEBCgA4FiEESYnFn9VL6SY6geN8p6kYSKWJVCsFAmBsc1kaHHZsYWRpbWly LmJvc3Rhbm92QHN5c3MuZGUACgkQp6kYSKWJVCupLg//dqQyvQE6CDNWyWBl25tN p7rp/cTdOnfKKovJYvfF4+aoDoiUZHTU5+hlK65uESjMngMazECU6+eDp3wtaaUs bcp3MH0cdoDe/4xZGehm3x1VTA0+x9bY6Rn2e8IjEDn97/VTDp7ptUo0DrD4XSFY OTCnRXCmoGIMUs/0LsHhXZvoHw0vcPWQ4L99+OoJowh1DKptD0jCGraMJUEfvLxC LSe31HTwFW5VMN/tMMbJhCAgAsqJfdCXXAXX6k2K4RdOqCBuUl3pbdM21ZsR+wRb ctICMhjWYffJuBaeN7Gt3QXY2x2EB9/lTEBFNAyJVIelXSjML7GhwiPfsaWG22HR 3wxp4YEFEylIz2Lz6oDvXFFZtS579j3toRkOucfL+9iskdfaGtCWRTRI9f4y4Jzp ihffvze1Fosw4s6mJDygB69rIXupycTf0mKPGMnJIWHtNvsj5P1fC5uo7MhY905h 4h89kUC43cJQJvLAHfvvQvJTTflsI9C9HRrU1BSSRsqMrqRmEE9JrXU1xmkYP9Aq 3beHADPKrdEz54+CKn/voxErSq1WBiSV3Gk/U4zq7eaf5opnRTYpsjqJz885f7Ar gzQA4H6WCz225m1bmU42p7C/EcLTY1G+Ki4n5rBoyC0cPOFQ3PbUMoqVWYa3pH8C AmqiqkwOIwBKsTyIV+D5xJM= =cToY -----END PGP SIGNATURE-----