Privilege Escalation Flaw Patched in Schneider Wonderware

Data analysis and visualization software deployed inside a larger operational intelligence software sold by Schneider Electric has been patched against a critical privilege escalation vulnerability.

The vulnerability was discovered in-house by Schneider Electric engineers in the Tableau server/desktop products. Versions 7.0 to 10.1.3 of the software running inside Schneider’s Wonderware Intelligence 2014R3 and earlier are affected.

“The vulnerability, if exploited, could allow a malicious entity to escalate its privilege to an administrator and take control over the host machine where Tableau Server is installed,” said an advisory published this week by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

The flaw, CVE-2017-5178, contain a default system account with default credentials that are a challenge to change; in fact, according to a vulnerability analysis published by the National Vulnerability Database, the process to update the default credentials is not documented.

“If Tableau Server is used with Windows integrated security (Active Directory), the software is not vulnerable. However, when Tableau Server is used with local authentication mode, the software is vulnerable,” the NVD said. “The default system account could be used to gain unauthorized access.”

Schneider has patched the vulnerability in an update and says users should upgrade Tableau Server to version 10.1.4.

“In addition, the Analytics Client (Tableau Desktop OEM) should also be upgraded to Version 10.1.4,” ICS-CERT said in its advisory. “Upgrading to Intelligence Server 2014 R3 is also recommended.”

This software is used in Schneider gear worldwide in a number of critical industries including energy, water and manufacturing.

Schneider Wonderware collates data from disparate sources under a single set of information and analyzes and provides visualization of industrial operations to an organization. Operators use the data to track performance and other key metrics, the company said. Tableau Server is business intelligence software that works in concert with Wonderware by producing dashboards shared in the server.

This is the second credentials-related vulnerability this year in Wonderware. In January, a critical vulnerability was patched in Wonderware Historian, which is used to capture, store and manage big data. The flaw could be used to exploit Historian databases by taking advantage of accessible default passwords.