CVE-2017-5178 in Tableau Server
Summary
by MITRE
An issue was discovered in Schneider Electric Tableau Server/Desktop Versions 7.0 to 10.1.3 in Wonderware Intelligence Versions 2014R3 and prior. These versions contain a system account that is installed by default. The default system account is difficult to configure with non-default credentials after installation, and changing the default credentials in the embedded Tableau Server is not documented. If Tableau Server is used with Windows integrated security (Active Directory), the software is not vulnerable. However, when Tableau Server is used with local authentication mode, the software is vulnerable. The default system account could be used to gain unauthorized access.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/08/2017
The vulnerability identified in CVE-2017-5178 represents a critical authentication flaw within Schneider Electric's Wonderware Intelligence platform, specifically affecting Tableau Server and Desktop versions ranging from 7.0 through 10.1.3. This weakness stems from the presence of a default system account that is automatically installed without requiring explicit configuration or documentation of secure credential management procedures. The flaw manifests as a persistent security risk because the system account cannot be easily reconfigured with non-default credentials after initial installation, creating a potential backdoor for unauthorized access. The vulnerability is particularly concerning because it affects the embedded Tableau Server component, which is integral to the platform's functionality and data visualization capabilities.
The technical implementation of this vulnerability involves the insecure default configuration of authentication mechanisms within the software architecture. According to CWE-798 standards, this represents a classic case of hardcoded credentials that should never be present in production systems, as they provide persistent access points that remain unchanged regardless of security requirements. The vulnerability specifically targets the authentication flow when local authentication mode is enabled, which creates an attack surface where malicious actors can exploit the default system account to bypass normal authentication procedures. The lack of proper documentation regarding credential management for the embedded Tableau Server component exacerbates the issue, as administrators are left without clear guidance on how to secure this default account properly.
The operational impact of CVE-2017-5178 extends beyond simple unauthorized access to represent a comprehensive security compromise that could enable attackers to escalate privileges and gain persistent access to industrial control systems. This vulnerability aligns with ATT&CK technique T1078 which describes legitimate credentials usage as a method for maintaining access to systems. When Tableau Server operates in local authentication mode, the default system account becomes a critical attack vector that could allow threat actors to establish persistent backdoors within industrial environments. The vulnerability affects systems that rely on Wonderware Intelligence 2014R3 and earlier versions, which are commonly deployed in manufacturing and industrial automation settings where the compromise of authentication systems could lead to significant operational disruptions and potential safety hazards.
Organizations affected by this vulnerability should implement immediate mitigations including disabling local authentication mode when possible, ensuring that any default system accounts are properly configured with strong, unique credentials, and implementing network segmentation to limit access to Tableau Server components. The remediation process should involve comprehensive credential management policies that address the specific configuration issues outlined in the vulnerability description. Security teams must also consider the broader implications of this flaw within their industrial control system environments, as the vulnerability could potentially be leveraged to gain access to critical infrastructure data and operations. Additionally, regular security assessments should be conducted to identify and remediate similar hardcoded credential issues across all industrial automation platforms. The vulnerability demonstrates the importance of proper secure configuration management and the necessity of implementing robust credential lifecycle management processes within industrial environments.