Questions and Answers regarding ADV-2017-001: Privilege escalation in Tableau Server

Version 9

    The following contains more details regarding the security bulletin ADV-2017-001: Privilege escalation in Tableau Server

     

    Below are details on:

    • How to check if your system is vulnerable
    • How to mitigate the vulnerability
    • How to detect if your Tableau Server was impacted
    • How to get more information

     

     

    How do I know if my system is vulnerable?

    1. Sign-in with an account that is an administrator on the Tableau Server computer.
    2. Open the Tableau Server Configuration Utility (Start > All Programs > Tableau Server > Configure Tableau Server).
    3. On the General tab, look at the configuration under User Authentication:

     

    • If Use Local Authentication is selected, then your server is vulnerable. Follow the procedure described in the section “How do I change the user password and permissions” to mitigate the vulnerability.
    • If Use Active Directory is selected, then your server is not vulnerable to this threat.

     

     

    How do I change the user password and permissions?

    To update the _system password on supported (8.3 and newer) vulnerable versions of Tableau, run the following procedure on each Tableau Server instance in your organization.  Note: these steps do not need to be done on each computer in the Tableau Server installation. Worker machines will be automatically updated.

     

    If you are running an unsupported version (prior to version 8.3) of Tableau Server, the following steps may require minor modifications to account for path and executable differences.

     

    1. On the computer that is running Tableau Server, open the Windows Command prompt as an administrator.
    2. Navigate to the OpenSSL command line tool by running the following command:

      cd "C:\Program Files\Tableau\Tableau Server\<version>\apache\bin"

       

      where <version> is the Tableau Server version that you are running, such as 10.1, and C: is the drive where you have installed Tableau Server.

    3. Generate an encoded random password with OpenSSL by running the following command:

       

      openssl rand -base64 32

       

      A base64 encoded password string is returned. A warning is also displayed ("Can't open config file"). This is a benign warning that you can ignore.

    4. Copy the encoded password.
    5. Navigate to the tabadmin directory by running the following command:

      cd "C:\Program Files\Tableau\Tableau Server\<version>\bin"

       
      where <version> is the Tableau Server version that you are running, such as 10.1, and C: is the drive where you have installed Tableau Server.

    6. Run the following tabadmin command to set the password:

      tabadmin passwd _system


      When prompted, paste the password that you copied earlier.

      Note: If you receive an error, "Tableau Server is not configured for local authentication," then you can skip the remainder of these steps. Your Tableau Server installation is already secured against this vulnerability.

    7. Run the following tabadmin command to remove administrative privileges from the account.

     

            tabadmin administrator _system false

     

    This command may return a "denied" message ("denied administrator from _system"). This message is an indication that you have successfully removed administration permissions from the _system account.

     

    After you complete the steps to change the user, please schedule an upgrade to the latest maintenance release.

     

    With the upgrade, your Tableau Server instance will be secure against this vulnerability.

     

    When I enter the password in the prompt no characters are shown?

    In Windows command prompt the cursor will not move and characters will not show up when a password is entered. If the password is entered correctly both times you will see a message.

     

    Could I remove the _system user instead?

    It is not possible to remove the _system user as the account is required for Tableau Server.  Please follow the steps to modify the _system user and schedule an upgrade to mitigate risk.

     

    Can I validate if my Tableau Server was impacted?

    If your Tableau Server deployment was impacted, this can be identified within your Tableau Server logs and repository which contain information from the last 180 days by default. Please review the Server Admin View ‘Actions by Specific User’ or ‘User Activity’ to look for activity from the "_system" or "workgroupadmin" account. If the account has been used during recorded time, there will be activity for this user and may indicate that your Server has been compromised.

    If you have cleared Tableau Server logs and access history, it will not be possible to validate the issue.

     

    Do the mitigation steps impact any of my existing Tableau Server administrator accounts?

    No. This is a local account that is created by Tableau Server.

     

    How can I find out more and get more support?

    If you would like more information about this vulnerability, or would like support in securing your environment, please contact support at www.tableau.com/support/request. Use the ADV-2017-001 ID number so we can prioritize your case.