Schneider Electric released a new version of Wonderware Intelligence to mitigate a credentials management vulnerability, according to a report with ICS-CERT.
Tableau Server/Desktop Versions 7.0 to 10.1.3 included in Wonderware Intelligence Versions 2014R3 and prior suffer from the issue.
The remotely exploitable vulnerability, which Schneider Electric self-reported, could allow a malicious entity to escalate its privilege to an administrator and take control over the host machine where Tableau Server resides.
Wonderware Intelligence is an operations management software that sees use in the critical manufacturing, energy, healthcare and public health, and water and wastewater systems industries. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could exploit the vulnerability.
In terms of the vulnerability, Tableau Server is an embedded product within the Schneider Electric Wonderware Intelligence software and contains a system account installed by default. The default system account is difficult to modify to use non-default credentials after installation. On top of that, there is no documentation on how to change the default credentials in the embedded Tableau Server. As such, Schneider Electric released a new software version that removes the default system account in the embedded Tableau Server.
If Tableau Server ends up used with Windows integrated security (Active Directory), the software is not vulnerable. However, when Tableau Server sees action with local authentication mode, the software is vulnerable. The default system account could end up used to gain unauthorized access.
CVE-2017-5178 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
Schneider Electric released a new software version and recommends affected users should apply Tableau Server Version 10.1.4. In addition, the Analytics Client (Tableau Desktop OEM) should also upgrade to Version 10.1.4. Upgrading to Intelligence Server 2014 R3 is another recommendation.
Schneider Electric users can login at the following support sites to download the Tableau patches:
• Tableau Analytics Dashboard Server v10.1.4
• Tableau Analytics Client v10.1.4
• Wonderware Intelligence 2014 R3
Schneider Electric issued Security Bulletin LFSEC00000119, which contains additional information.