[Important] ADV-2017-013: Unauthenticated privilege escalation when Server SAML is configured on Tableau Server

 

Severity: Critical

 

Summary:

Tableau Server is vulnerable to an unauthenticated privilege escalation under the following conditions:

      • Installations that have Server SAML and Local Authentication configured in tandem.

The following configurations are NOT vulnerable:

      • Installations that only use Site SAML.
      • User accounts that have been configured with an explicit password to enable REST API or tabcmd access.
      • Organizations that synchronize user accounts from Active Directory.

For guidance determining if your organization is running a vulnerable configuration, see Questions and Answers regarding ADV-2017-013: Privilege escalation in Tableau Server.

 

Impact: An unauthenticated attacker can escalate their privilege to access resources with the permissions of other Tableau Server users.

 

Vulnerable Versions:

10.0.0 (through 10.0.10), 10.1.0 (through 10.1.8), 10.2.0 (through 10.2.2), 10.3.0

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

 

Tableau Server: 10.0.11

Tableau Server: 10.1.9

Tableau Server: 10.2.3

Tableau Server: 10.3.1

 

Mitigation: If your Tableau Server instance is using one of the vulnerable configurations, and you are unable to upgrade to a fixed version now, see Questions and Answers regarding ADV-2017-013: Privilege escalation in Tableau Server.

 

Acknowledgement: Greg Harris of the Fitbit Security Team