Trane Tracer Improper Control of Generation of Code (CVE-2021-38450)

high Tenable OT Security Plugin ID 501758

Synopsis

The remote OT asset is affected by a vulnerability.

Description

The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Affected users should contact a Trane representative to install updated firmware or request additional information.
Please reference Trane service database number HUB-205962 when contacting the Trane office.

Tracer SC is no longer actively developed, tested, or sold. Tracer SC will be considered end-of-life on December 31, 2022. Trane recommends identifying a migration plan for replacing the Tracer SC controller with the next-generation Tracer SC+ controller. Tracer SC+ can function as a drop-in replacement for Tracer SC, providing significant updates to security capabilities.

Trane has identified the following specific mitigations:

- Tracer SC: Upgrade to v4.4 SP7 or later
- Tracer SC+: Upgrade to v5.5 SP3 or later
- Tracer Concierge: Upgrade to v5.5 SP3 or later

In addition to the specific recommendations above, Trane continues to recommend the following best practices as an additional protection against this and other controller vulnerabilities:

- Restrict physical controller access to trained and trusted personnel.
- Isolate Tracer controls from other network devices using virtual local area networks (VLAN), and from the Internet using a firewall with no exposed inbound ports.
- Use secure remote access solutions, such as Trane Connect Remote Access, when needed.
- Ensure user credentials are not shared and follow best practices for appropriate complexity (e.g., strong passwords).
- Have a well-documented process and owner to ensure regular software/firmware updates and keep systems up to date.

See Also

https://us-cert.cisa.gov/ics/advisories/icsa-21-266-02

Plugin Details

Severity: High

ID: 501758

Version: 1.8

Type: remote

Family: Tenable.ot

Published: 10/23/2023

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2021-38450

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:trane:tracer_sc%2b_firmware, cpe:/o:trane:tracer_sc_firmware:4.4:-, cpe:/o:trane:tracer_sc%2b_firmware:5.5:-, cpe:/o:trane:tracer_sc_firmware

Required KB Items: Tenable.ot/Trane

Exploit Ease: No known exploits are available

Patch Publication Date: 10/27/2021

Vulnerability Publication Date: 10/27/2021

Reference Information

CVE: CVE-2021-38450

CWE: 94

ICSA: 21-266-02