-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2020-032
Product: Tableau Server
Manufacturer: Tableau Software, LLC, a Salesforce Company
Affected Version(s): 2019.4-2019.4.17, 2020.1-2020.1.13,
  2020.2-2020.2.10, 2020.3-2020.3.6, 2020.4-2020.4.2
Tested Version(s): 2020.2.1 (20202.20.0525.1210) 64-bit Windows
Vulnerability Type: URL Redirection to Untrusted Site (CWE-601)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2020-07-29
Solution Date: 2021-03-23
Public Disclosure: 2021-03-23
CVE Reference: CVE-2021-1629
Author of Advisory: Dr. Vladimir Bostanov, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Tableau Server is an online data management, analysis, and visualization
platform.

The manufacturer describes the product as follows [1]:

 "Tableau Server enables everyone in an organization to see and
  understand data, with offerings for every user type."

Due to insufficient server-side validation of user input, Tableau
Server is vulnerable to URL redirection to untrusted site by the "Share
view" function. An authenticated attacker can replace the shared view's
URL by the URL of a malicious web page.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

A feature of the Tableau Server web application allows users to share
views with other users of the same Tableau site. Upon clicking on a
standard share icon, a dialog box appears in which the sharer can
choose an arbitrary number of recipients from a list of all users of
the same Tableau site. Upon clicking on the "Share" button in the
dialog box, the user client sends a POST request containing among other
data the recipients' user IDs and the shared resource's URL.

An attacker with access to a viewer account (no higher privileges are
needed for sharing a view) can send a "Share view" request, intercept
it, and replace the shared view's URL by the URL of a malicious web
page. Without sufficient validation of the relevant parameter, the
Tableau server sends to all specified recipients a trustworthy e-mail
message including a Tableau logo and a PNG image of the shared view. A
victim who clicks on the image or on the "Go to View" button lands on
the malicious web page, because the value of the href attribute of the
underlying anchor element has been set to the URL specified by the
attacker.

Note that, technically, this is not an open redirect vulnerability,
because the victim's browser is directed to an untrusted location by an
e-mail client or a web mail application, rather than being redirected
by the Tableau Server itself. The effect is, however, virtually the
same, because open redirect payloads are also usually delivered to
victims via e-mail. Moreover, in the present case, the whole e-mail
message including the sender (the Tableau server) is completely
authentic -- except for the manipulated URL. Thus, it is much more
trustworthy than, e.g., an average phishing mail containing an open
redirect link.

Note also that, if the malicious URL points to a fake copy of the
Tableau Server login page, landing on it would not raise the victim's
suspicion since opening a Tableau view shared via e-mail, indeed,
requires authentication. Thus, a phishing attack has a great chance of
success. The attacker needs, however, an access to a Tableau account.
Another important limitation is that the group of potential victims is
restricted to the users of the same Tableau site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

An authenticated attacker shares the view "Project/Topic" with two
other users of the same Tableau site "Site", one of them being the site
administrator (user ID: 1234).

The attacker's browser sends the following request to the Tableau Server
at https://target.host/ ([...] denotes abridged content):

POST /vizportal/api/web/v1/shareContent HTTP/1.1
Host: target.host
[...]
Referer: https://target.host/t/Site/views/Project/Topic?:embed=y&[...]
content-type: application/json
[...]

{
  "method": "shareContent",
  "params": {
    "contentId": 45684,
    "contentType": "view",
    "recipients": [{
      "type": "USER",
      "id": "1234"
    }, {
      "type": "USER",
      "id": "1238"
    }],
    "url": "https://target.host/t/Site/views/Project/Topic?:[...]",
    "message": "Check this out!",
    "shouldShareThumbnail": false
  }
}

The attacker intercepts the request and replaces the view's URL:

  https://target.host/t/Site/views/Project/Topic?:[...]

by the URL of a fake copy of the Tableau Server login page:

  https://target.host.evil.me/#/signin/?redirect=[true view URL]

The victim receives a notification e-mail from the Tableau Server
including an image of the shared view and a "Go to View" button, as
explained above. Upon clicking on one of these elements, the fake
Tableau Server login page is opened in the victim's browser. If the
victim does not notice the difference in the domain name, he/she fills
the login form with username and password and presses the "Sign In"
button. The credentials are submitted to the attacker's server evil.me.
The attacker's sever-side script receives and stores the stolen
credentials and redirects the victim's browser back to the authentic
Tableau site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Upgrade Tableau Server to version 2019.4.18, 2020.1.14, 2020.2.11,
2020.3.7, 2020.4.3, or 2021.1.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2020-07-21: Vulnerability discovered
2020-07-29: Vulnerability reported to Tableau Security Team (TST)
2020-07-30: TST confirmed the vulnerability and asked for more time than
  the usual 45 days [4] to fix it as well as for coordinated disclosure;
  SySS GmbH agreed
2020-08-04: TST promised to acknowledge in their disclosure
  Dr. Vladimir Bostanov of SySS GmbH as discoverer of the vulnerability
2020-11-19: Upon inquiry by SySS GmbH, TST asked for more time to fix
  the vulnerability
2021-02-11: Upon warning by SySS GmbH, TST quoted 2021-03-23 as a
  tentative release date for the fixed versions and promised to inform
  SySS GmbH by 2021-03-12, if the vulnerability fix would be included
  in the March releases
2021-03-16: SySS GmbH asked TST about any news; TST did not answer
2021-03-18: SySS GmbH asked again, TST did not answer
2021-03-23: Upon third inquiry by SySS GmbH, TST asked SySS GmbH
  to "have patience" and promised to "provide information soon"
2021-03-23: Salesforce disclosed the vulnerability WITHOUT
  mentioning Dr. Vladimir Bostanov or SySS GmbH [3]; SySS GmbH was NOT
  informed about the disclosure (but found out about it on 2021-04-06)
 
THE COORDINATED DISCLOSURE AGREEMENT HAS THUS BEEN
SERIOUSLY VIOLATED BY TABLEAU SECURITY TEAM AND SALESFORCE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:


[1] Product Website for Tableau Server
    https://www.tableau.com/products/server

[2] SySS Security Advisory SYSS-2020-032
    Open Redirect in Tableau Server
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-032.txt

[3] Salesforce Security Advisory ADV-2021-010
    Tableau Server Open Redirect
    https://help.salesforce.com/articleView?id=000357424&type=1&mode=1
   
[4] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found
by Dr. Vladimir Bostanov of SySS GmbH.

E-Mail: vladimir.bostanov@syss.de
Public Key:
  https://www.syss.de/fileadmin/dokumente/PGPKeys/Vladimir_Bostanov.asc
Key ID: 0xA589542B
Key Fingerprint: 4989 C59F D54B E926 3A81 E37C A7A9 1848 A589 542B

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory
may be updated in order to provide as accurate information as possible.
The latest version of this security advisory is available on the
SySS GmbH website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEESYnFn9VL6SY6geN8p6kYSKWJVCsFAmBtgL8aHHZsYWRpbWly
LmJvc3Rhbm92QHN5c3MuZGUACgkQp6kYSKWJVCsvdBAAl179Gv+cBNdGY/jtFERY
Fo+pQRTVQxPFyoru5KPYOz5Sf0mUIx78oGoX003jtT9BNtk1Jj28jZbG+I0VBAhk
Xzr77lEOQIxef553YwcTngKDAeqxTigsEZq2mnq9/jQA/l1BK8kEJMZLMTCe5qm5
nAhhJoJvxXs7F+wOFhpmu1/HqSXYKQcDY0L5ysBfTD9c/4oRVj+zW4as1f3LI3GR
lq7RhssHjUwnaLWHKmpj6p+lCEaXpu+GwOJ23vPFdQMRykIl1N3vDzoVksML1GYQ
6cHtChuDM4BPjem3GmCPO/oJI8MEcGkN71EZIPlvYpUBabtYK0bmrzphIgBIOix3
NNxBnEFcEjLgjTj80676gtEV8RgGyu4BNSkXQmBQ4iD2UTNwt3OFQkGfdVE80vQP
lj536zUn2TxNGSDpfH3zobOZsPYvWwjiVxYYTZMNcqVauUQZ/XsV39dFH9pSRSHX
lrAi26C8RLRvJkdmf0BfxWRd4nygBJthNZSEK3yHKjXTmTYlHyaoS5Ek0y6FImIc
Gk4UvKN8J+MNQwlkCSEAtOg7Xk9jOa2T6frhanHqrKMLu9Zmf8siTYX+p1+Bg72z
fVc0Gq8n/vpJ2WOOL3wCAreHoL+wpEauX4ilI2BR4MYrhKBysTzzpTECUGZgUOLb
kFCd2l5j4C8JF23eJe+EOxw=
=o56W
-----END PGP SIGNATURE-----