KNOWLEDGE BASE

ADV-2015-004 Security Advisory: Tableau Desktop for Mac Might Treat Untrusted Certificates as Valid


Product(s): Tableau Desktop
Version(s): 9.0, 8.3, 8.2, 9.1
Last Modified Date: 16 Aug 2016

This article describes a security vulnerability that affects Tableau products and includes information about how to resolve or work around the issue.

Description

In Tableau Desktop for Mac, certificates that are configured as “Never Trust” in the keychain are trusted by Tableau Desktop.

Affected products

This vulnerability only affects Tableau Desktop running on Mac OS X.

  • Tableau Desktop 8.2 (through 8.2.15), 8.3 (through 8.3.10)
  • Tableau Desktop 9.0 (through 9.0.7)
  • Tableau Desktop 9.1.1

Tableau Public, Tableau Server, and Tableau Online are not affected.

Conditions

This vulnerability is exposed when all of the following conditions are true:

  • A user is running Mac OS X with an affected version of Tableau Desktop.

  • The Mac keychain stores a root, intermediate, or self-signed certificate that is set to “Never Trust.”

    In Mac OS X, certificates can be set to “Never Trust” by users. But more commonly, root certificate authority (CA) certificates that are set to “Never Trust” are installed with OS X as “Always Ask” certificates. When an application attempts to use a “Never Trust” / “Always Ask” certificate, the user is prompted to either trust the certificate or not trust it. In the Mac OS X keychain, the icon for an untrusted certificate is marked with a red X.

    To view a list of “Never Trust” / “Always Ask” certificates that are installed on Mac OS X, click the version of OS X at the Apple support page, Lists of available trusted root certificates in OS X, and then click the “Always Ask” link.

  • The user initiates an SSL/TLS session with a server that presents a certificate issued by the non-trusted certificate (or from a CA certified by the non-trusted certificate) during the SSL/TLS handshake.

  • The certificate presented by the server is otherwise valid. Tableau Desktop does not check for certificate revocation.

Impact

An attacker who can obtain a certificate from a CA that is marked as “Not Trusted” in the Mac OS X keychain could use the certificate to impersonate communications with Tableau Desktop.

Or if the user has previously marked an attacker’s self-signed certificate as “Not Trusted,” the attacker could still use that certificate to impersonate communications.

For example, in a successful attack, the attacker could impersonate a Tableau Server, a data source, a web connector, or the discovery pane of the web client. Any data, including user names and passwords, that Tableau Desktop communicates to these various components would be at risk of disclosure.

Resolution

Upgrade Tableau Desktop to a version that will not use root CA certificates that are configured as “Not Trusted” in the Mac keychain.

  • Tableau Desktop 8.2.16 and newer
  • Tableau Desktop 8.3.11 and newer
  • Tableau Desktop 9.0.8 and newer
  • Tableau Desktop 9.1.2 and newer

Vulnerability scoring

  • Vulnerability: Medium

  • CVSS v2.0 Base Score: 4.3

  • CVSS v2.0 Vector: AV:A/AC:H/Au:N/C:P/I:P/A:P

    For more information about vectors, see CVSS v2 Vector Definitions on the National Vulnerability Database site.

 

Did this article resolve the issue?