Trane Tracer

Plan PatchCVSS 9.9ICS-CERT ICSA-21-266-02Sep 23, 2021

Trane

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A code injection vulnerability in Trane Tracer building control systems allows an authenticated user to execute arbitrary code on affected controllers. The vulnerability exists in Tracer Concierge (all versions before 5.5 SP3), Tracer SC (all versions before 4.4 SP7), and Tracer SC+ (all versions before 5.5 SP3). Successful exploitation could give an attacker full control over HVAC and environmental management functions. Trane has released firmware patches for all affected products and recommends isolating controllers from the business network, restricting access, implementing strong authentication, and migrating legacy Tracer SC systems to Tracer SC+.

What this means

What could happen

An authenticated attacker could execute arbitrary code on Trane building controls, potentially allowing them to modify HVAC setpoints, disable environmental controls, or disrupt facility operations.

Who's at risk

Building facilities managers and HVAC technicians responsible for Trane Tracer building control systems. This affects any organization running Tracer Concierge, Tracer SC, or Tracer SC+ controllers in their facilities, including government buildings, hospitals, data centers, universities, and commercial office spaces.

How it could be exploited

An attacker with valid login credentials for the Tracer controller could upload or execute malicious code via the controller's web interface or management functions. This requires network access to the controller and a valid user account.

Prerequisites

Network access to Tracer controller management interface (typically port 80/443)
Valid user credentials for the Tracer controller
Controller must be reachable from attacker's network location

Requires authentication but authenticated users are often internal staff or contractorsLow complexity attack requiring only valid credentialsHigh CVSS score (9.9)Tracer SC is end-of-life with no patches planned after December 31, 2022Affects building safety and environmental control systems

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Tracer Concierge: All< 5.5 SP35.5 SP3

Tracer SC: All< 4.4 SP75.5 SP3

Tracer SC+: All< 5.5 SP35.5 SP3

Remediation & Mitigation

0/9

Do now

0/4

HARDENINGIsolate Tracer controllers from the business network and Internet using firewall rules with no exposed inbound ports

HARDENINGRestrict physical and network access to Tracer controllers to authorized personnel only

HARDENINGEnforce unique, strong passwords for all Tracer controller user accounts and prohibit credential sharing

WORKAROUNDUse Trane Connect Remote Access or equivalent secure VPN solution if remote access to controllers is required

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Tracer Concierge to firmware version 5.5 SP3 or later

HOTFIXUpgrade Tracer SC to firmware version 4.4 SP7 or later

HOTFIXUpgrade Tracer SC+ to firmware version 5.5 SP3 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation using VLANs to separate building controls from other networked systems

HARDENINGMigrate Tracer SC controllers to Tracer SC+ before December 31, 2022 end-of-life date

CVEs (1)

CVE-2021-38450

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0ebc74a5-e063-4757-a2d0-2d8d216d2899

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.