Trane HVAC Systems Controls

Risk Summary

Successful exploitation of this vulnerability could allow an attacker to redirect a user to a malicious webpage and steal the user 's cookie.

CVEs (1)

Remediations

• Users upgrade Tracer SC controllers running firmware v3.8 and prior, to firmware v4.4 SP7 or higher. Users should contact a regional Trane office to install updated firmware or request additional information and reference Trane service database number HUB-207592.
• Tracer SC is no longer actively developed, tested, or sold. Tracer SC will be considered end-of-life on December 31, 2022. Trane recommends users identify a migration plan to replace the Tracer SC controller with the Tracer SC+ controller, which can function as a drop-in replacement for Tracer SC, providing significant security upgrades.
• Restrict physical controller access to trained and trusted personnel.
• Isolate Tracer controls from other network devices using virtual local area networks (VLAN), and from the Internet using a firewall with no exposed inbound ports.
• Use secure remote access solutions such as Trane Connect Remote Access.
• Ensure user credentials are not shared and follow best practices for appropriate complexity (e.g., strong passwords).
• Have a well-documented process and owner to ensure regular software/firmware updates and to keep systems up to date.

Affected Vendors

Affected Products (1)

Affected Sectors

Critical Manufacturing