Trane Tracer

1. EXECUTIVE SUMMARY

• CVSS v3 9.9 *ATTENTION: Exploitable remotely/low attack complexity
• **Vendor:**Trane
• **Equipment:**Tracer SC, Tracer SC+, and Tracer Concierge
• Vulnerability: Code Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated user to execute arbitrary code on the controller.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Trane building automation products:

• Tracer SC: All versions prior to v4.4 SP7
• Tracer SC+: All versions prior to v5.5 SP3
• Tracer Concierge: All versions prior to v5.5 SP3

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94

The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software.

CVE-2021-38450 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• **COUNTRIES/AREAS DEPLOYED:**Worldwide
• **COMPANY HEADQUARTERS LOCATION:**Ireland

3.4 RESEARCHER

Trane reported this vulnerability to CISA.

4. MITIGATIONS

Affected users should contact a Trane representative to install updated firmware or request additional information. Please reference Trane service database number HUB-205962 when contacting the Trane office.

Tracer SC is no longer actively developed, tested, or sold. Tracer SC will be considered end-of-life on December 31, 2022. Trane recommends identifying a migration plan for replacing the Tracer SC controller with the next-generation Tracer SC+ controller. Tracer SC+ can function as a drop-in replacement for Tracer SC, providing significant updates to security capabilities.

Trane has identified the following specific mitigations:

• Tracer SC: Upgrade to v4.4 SP7 or later
• Tracer SC+: Upgrade to v5.5 SP3 or later
• Tracer Concierge: Upgrade to v5.5 SP3 or later

In addition to the specific recommendations above, Trane continues to recommend the following best practices as an additional protection against this and other controller vulnerabilities:

• Restrict physical controller access to trained and trusted personnel.
• Isolate Tracer controls from other network devices using virtual local area networks (VLAN), and from the Internet using a firewall with no exposed inbound ports.
• Use secure remote access solutions, such as Trane Connect Remote Access, when needed.
• Ensure user credentials are not shared and follow best practices for appropriate complexity (e.g., strong passwords).
• Have a well-documented process and owner to ensure regular software/firmware updates and keep systems up to date.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.