CVE-2017-5178

EUVD-2017-14287

08.03.2017, 08:59

An issue was discovered in Schneider Electric Tableau Server/Desktop Versions 7.0 to 10.1.3 in Wonderware Intelligence Versions 2014R3 and prior. These versions contain a system account that is installed by default. The default system account is difficult to configure with non-default credentials after installation, and changing the default credentials in the embedded Tableau Server is not documented. If Tableau Server is used with Windows integrated security (Active Directory), the software is not vulnerable. However, when Tableau Server is used with local authentication mode, the software is vulnerable. The default system account could be used to gain unauthorized access.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 85%

Affected Products (NVD)

Vendor	Product	Version
schneider-electric	tableau_desktop	7.0
schneider-electric	tableau_desktop	10.1.3
schneider-electric	tableau_server	7.0
schneider-electric	tableau_server	10.1.3
schneider-electric	wonderware_intelligence	𝑥 ≤ 2014

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-1188 - Insecure Default Initialization of Resource
The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

References

http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000119/

http://www.securityfocus.com/bid/96721

https://ics-cert.us-cert.gov/advisories/ICSA-17-066-01

http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000119/

http://www.securityfocus.com/bid/96721

https://ics-cert.us-cert.gov/advisories/ICSA-17-066-01