Risk Summary
Successful exploitation of this vulnerability could allow an authenticated user to execute arbitrary code on the controller.
CVEs (1)
Remediations
- Affected users should contact a Trane representative to install updated firmware or request additional information. Please reference Trane service database number HUB-205962 when contacting the Trane office.
- Tracer SC is no longer actively developed, tested, or sold. Tracer SC will be considered end-of-life on December 31, 2022. Trane recommends identifying a migration plan for replacing the Tracer SC controller with the next-generation Tracer SC+ controller. Tracer SC+ can function as a drop-in replacement for Tracer SC, providing significant updates to security capabilities.
- Tracer SC: Upgrade to v4.4 SP7 or later
- Tracer SC+: Upgrade to v5.5 SP3 or later
- Tracer Concierge: Upgrade to v5.5 SP3 or later
- In addition to the specific recommendations above, Trane continues to recommend the following best practices as an additional protection against this and other controller vulnerabilities:
- Restrict physical controller access to trained and trusted personnel.
- Isolate Tracer controls from other network devices using virtual local area networks (VLAN), and from the Internet using a firewall with no exposed inbound ports.
- Use secure remote access solutions, such as Trane Connect Remote Access, when needed.
- Ensure user credentials are not shared and follow best practices for appropriate complexity (e.g., strong passwords).
- Have a well-documented process and owner to ensure regular software/firmware updates and keep systems up to date.
Affected Vendors
Trane
Affected Products (3)
Trane
·
Tracer Concierge
< 5.5 SP3
Trane
·
Tracer SC
< 4.4 SP7
Trane
·
Tracer SC+
< 5.5 SP3
Affected Sectors
Critical Manufacturing
Get alerted to advisories like this
OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.
Start free trial Learn more