During an authorised penetration testing assessment of Xpand IT Write-Back software, Balwurk’s security team found multiple security vulnerabilities, first disclosed to the customer and then responsibly submitted to the MITRE CVE program.

The discovered vulnerability allows an attacker to retrieve the secret salt used to encrypt and decrypt the license hashes commercially emitted to clients or customers.

This blog post will be the first of a four-part series in which we will technically describe 5 security vulnerabilities and how they were detected and exploited.


What is Write-Back?

Write-Back is a Tableau extension that enables users to submit data directly from a Tableau dashboard to your database, allowing them to implement any actionable use case without leaving the analysis flow.

Write-Back allows users to take the Tableau usage further and implement use cases where you need users to input data, such as forecasting, planning, adding comments, or any actionable process. Includes features like on-premise execution, audit, multiple back-end databases, and integrated authentication. 

Before diving into more technical details, we should describe the layout of Write-Back’s high-level back-end architecture:

Write-Back (Server): Tableau extensions are web-based and deployed on a separate application server from the Tableau Server/Cloud. This means that Write-Back should be placed side by side with Tableau, ideally on a separate machine. Users will interact with the Write-Back extension through the Tableau dashboards that can be on different Tableau platforms, i.e. Tableau Desktop, Tableau Server, or even on Tableau Cloud.

Write-Back Manager: Centralizes all configurations and enables platform administrators to take full control of how Write-Back is configured. All of this is done on a web UI. Each Write-Back installation has its own Write-Back manager deployed on the same machine allowing to manage that instance.


Technical description


This vulnerability, assigned with CVE-2023-27169, can be categorised as the usage of hard-coded cryptographic key. The implementation of the license validator on the Manager component relies on the utilisation of a symmetric encryption algorithm with a static salt or secret.

By analysing the files of a local Windows installation, we managed to retrieve the salt being used in the license creation and validation routine.

WriteBackLicenceConfig.class:

Java
package com.xpandit.license.writeback.config;

import com.xpandit.license.api.config.LicenseConfig;

public class WriteBackLicenseConfig implements LicenseConfig {
  private String salt = "xpandit_write321back1231";
  
  private String pluginId = "com.xpandit.plugins.writeback";
  
  public String getSalt() {
    return this.salt;
  }
  
  public String getPluginId() {
    return this.pluginId;
  }
}

Impact

If the license creation and validation routines rely solely on the LicenseConfig salt as an encryption key to provide secrecy and integrity to a license hash/key, then it could be possible for an attacker to reverse the encryption process to retrieve any information possibly encrypted in the license string and craft its own commercial Write-Back licenses.

CVE ID: CVE-2023-27169
CVSS 3.1 Base Score: 5.1
CVSS Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected Vendor: Xpand IT
Affected Product: Write-Back
Affected Version: Write-Back Manager v2.3.1


Mitigation

All affected customers should update Write-Back to at least version 4.1.


Timeline

29-11-2022 – Vulnerability detected and reported to Write-Back.

22-02-2023 – Vulnerability submitted to MITRE.

10-03-2023 – Vulnerability accepted and CVE-2023-27168 reserved.

12-07-2023 – Official Patch released by Write-Back team.

13-09-2023 – Public disclosure of CVE-2023-27169.


Credits

Bruno Pincho | Penetration Tester at Balwurk

References

MITRE