Trane HVAC Systems Controls

MonitorCVSS 6.3ICS-CERT ICSA-21-292-02Oct 19, 2021

Trane

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A Cross-Site Scripting (XSS) vulnerability exists in Trane Tracer SC building automation controllers running firmware v3.8 and prior. An attacker on the network can inject malicious script code into the web interface, which executes in the context of an authenticated user's browser session. This allows the attacker to redirect the user to a malicious webpage and steal their session cookie, potentially gaining unauthorized access to controller functions. The vulnerability affects all Tracer SC firmware versions up to and including v3.8. Tracer SC is end-of-life as of December 31, 2022, and Trane recommends migration to the Tracer SC+ controller.

What this means

What could happen

An attacker with network access could redirect HVAC operators to a malicious website and steal their login cookies, potentially gaining unauthorized access to the building control system. This could allow an attacker to alter temperature setpoints, disable alarms, or disrupt HVAC operations.

Who's at risk

Building facility managers and HVAC operators at any organization running Trane Tracer SC building automation controllers. This affects commercial and institutional buildings relying on Tracer SC for temperature, humidity, and equipment control. Particularly important for critical facilities like hospitals, data centers, and manufacturing plants where HVAC disruption could impact operations or safety.

How it could be exploited

An attacker on the network could perform a Cross-Site Scripting (XSS) attack against the Tracer SC web interface. By injecting malicious script code, the attacker could redirect an authenticated user to a fake login page or malicious site to capture their session cookie, then use that cookie to access the controller without needing their password.

Prerequisites

Network access to the Tracer SC web interface (typically port 80 or 443)
User must be logged into the Tracer SC controller or visit a malicious link while authenticated
No special credentials required to exploit the XSS vulnerability itself

Remotely exploitable over networkNo authentication required for the XSS attack itselfLow complexity attackEnd-of-life product—vendor will not provide long-term supportAffects building control systems that operators rely on daily

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

Tracer SC: Firmware v3.8 and prior≤ 3.8v4.4 SP7 or higher

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGImplement network segmentation to restrict access to the Tracer SC web interface to only authorized engineering workstations and management networks. Use firewall rules to limit inbound connections to port 80/443 on the controller.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Tracer SC firmware to version 4.4 SP7 or higher. Contact a regional Trane office to perform the firmware update or reference service database number HUB-207592.

Long-term hardening

0/1

HARDENINGDevelop and execute a migration plan to replace Tracer SC controllers with Tracer SC+ controllers, which provide enhanced security and are actively maintained. Tracer SC reaches end-of-life on December 31, 2022.

CVEs (1)

CVE-2021-42534

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9e329ee4-6309-461f-99c3-7b76900d8b8f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.