|2017-03-07||Other||Schneider Electric||Schneider Electric self-reported this vulnerability.
# Schneider Electric Wonderware Intelligence
### VULNERABLE VENDOR
### VULNERABLE PRODUCT
Schneider Electric self-reported this vulnerability.
### AFFECTED PRODUCTS
The following versions of Wonderware Intelligence, an operations management software, are affected:
Tableau Server/Desktop Versions 7.0 to 10.1.3 included in Wonderware Intelligence Versions 2014R3 and prior.
The vulnerability, if exploited, could allow a malicious entity to escalate its privilege to an administrator and take control over the host machine where Tableau Server is installed.
### VULNERABILITY OVERVIEW
CREDENTIALS MANAGEMENT CWE-255
Tableau Server is embedded within the Schneider Electric Wonderware Intelligence software and contains a system account that is installed by default.
The default system account is difficult to modify to use non-default credentials after installation and changing the default credentials in the embedded Tableau Server is not documented.
As such, Schneider Electric has released a new software version that removes the default system account in the embedded Tableau Server.
If Tableau Server is used with Windows integrated security (Active Directory), the software is not vulnerable.
However, when Tableau Server is used with local authentication mode, the software is vulnerable.
The default system account could be used to gain unauthorized access.
CVE-2017-5178 has been assigned to this vulnerability.
A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Critical Infrastructure Sectors: Critical Manufacturing, Energy, Healthcare and Public Health, and Water and Wastewater Systems
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Paris, France
Schneider Electric has released a new software version to address the identified vulnerability and recommends that users using affected versions apply Tableau Server Version 10.1.4. In addition, the Analytics Client (Tableau Desktop OEM) should also be upgraded to Version 10.1.4. Upgrading to Intelligence Server 2014 R3 is also recommended.
The Schneider Electric customers using Wonderware Intelligence can login at the following support sites to download the Tableau patches:
Tableau Analytics Dashboard Server v10.1.4
Tableau Analytics Client v10.1.4
Wonderware Intelligence 2014 R3
Schneider Electric has issued Security Bulletin LFSEC00000119, which contains additional information: