Trane Tracer Improper Control of Generation of Code (CVE-2021-38450)

2023-10-2300:00:00

www.tenable.com

trane tracer

controller vulnerability

firmware upgrade

user credential

best practices

software alteration

8.8 High

AI Score

Confidence

High

JSON

The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(501758);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/11");

  script_cve_id("CVE-2021-38450");

  script_name(english:"Trane Tracer Improper Control of Generation of Code (CVE-2021-38450)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"The affected controllers do not properly sanitize the input containing
code syntax. As a result, an attacker could craft code to alter the
intended controller flow of the software.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://us-cert.cisa.gov/ics/advisories/icsa-21-266-02");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Affected users should contact a Trane representative to install updated firmware or request additional information.
Please reference Trane service database number HUB-205962 when contacting the Trane office.

Tracer SC is no longer actively developed, tested, or sold. Tracer SC will be considered end-of-life on December 31,
2022. Trane recommends identifying a migration plan for replacing the Tracer SC controller with the next-generation
Tracer SC+ controller. Tracer SC+ can function as a drop-in replacement for Tracer SC, providing significant updates to
security capabilities.

Trane has identified the following specific mitigations:

- Tracer SC: Upgrade to v4.4 SP7 or later
- Tracer SC+: Upgrade to v5.5 SP3 or later
- Tracer Concierge: Upgrade to v5.5 SP3 or later

In addition to the specific recommendations above, Trane continues to recommend the following best practices as an
additional protection against this and other controller vulnerabilities:

- Restrict physical controller access to trained and trusted personnel.
- Isolate Tracer controls from other network devices using virtual local area networks (VLAN), and from the Internet
using a firewall with no exposed inbound ports.
- Use secure remote access solutions, such as Trane Connect Remote Access, when needed.
- Ensure user credentials are not shared and follow best practices for appropriate complexity (e.g., strong passwords).
- Have a well-documented process and owner to ensure regular software/firmware updates and keep systems up to date.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-38450");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(94);

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/10/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/10/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/23");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:trane:tracer_sc%2b_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:trane:tracer_sc%2b_firmware:5.5:-");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:trane:tracer_sc_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:trane:tracer_sc_firmware:4.4:-");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Trane");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Trane');

var asset = tenable_ot::assets::get(vendor:'Trane');

var vuln_cpes = {
    "cpe:/o:trane:tracer_sc_firmware" :
        {"versionEndExcluding" : "4.4", "family" : "TracerSC"},
    "cpe:/o:trane:tracer_sc_firmware:4.4:-" :
        {"versionEndIncluding" : "4.4.7", "versionStartIncluding" : "4.4", "family" : "TracerSC"},
    "cpe:/o:trane:tracer_sc%2b_firmware" :
        {"versionEndExcluding" : "5.5", "family" : "TracerSCPlus"},
    "cpe:/o:trane:tracer_sc%2b_firmware:5.5:-" :
        {"versionEndExcluding" : "5.5.3", "versionStartIncluding" : "5.5", "family" : "TracerSCPlus"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);

VendorProductVersionCPE
tranetracer_sc%2b_firmwarecpe:/o:trane:tracer_sc%2b_firmware
tranetracer_sc%2b_firmware5.5cpe:/o:trane:tracer_sc%2b_firmware:5.5:-
tranetracer_sc_firmwarecpe:/o:trane:tracer_sc_firmware
tranetracer_sc_firmware4.4cpe:/o:trane:tracer_sc_firmware:4.4:-

Vendor	Product	Version	CPE
trane	tracer_sc%2b_firmware		cpe:/o:trane:tracer_sc%2b_firmware
trane	tracer_sc%2b_firmware	5.5	cpe:/o:trane:tracer_sc%2b_firmware:5.5:-
trane	tracer_sc_firmware		cpe:/o:trane:tracer_sc_firmware
trane	tracer_sc_firmware	4.4	cpe:/o:trane:tracer_sc_firmware:4.4:-