Talos Vulnerability Report

TALOS-2016-0028

Trane ComfortLink II SCC Service Hardcoded Credentials Vulnerability

February 8, 2016
CVE Number

CVE-2015-2867

Description

A design flaw in the Trane ComfortLink II SCC service allows remote attackers to take complete control of the system. During system boot the SCC service installs two sets of user credentials with hardcoded passwords. These credentials can be used to remotely access the system over SSH and to locally gain root privileges.

Tested Versions

Trane ComfortLink II - firmware version 2.0.2

Product URLs

http://www.trane.com/residential/products/thermostats-and-controls/comfortlink%E2%84%A2%20ii-thermostats-and-controls

Details

The following user credentials are set during system initialization:

root:Cold,,2100AAAAA

raptor21:Cold,,2100RRRRR

Timeline

2014-04-09 - Initial contact with Trane is established. Advisories delivered.
2014-06-03 - Second attempt to contact Trane for follow up. No response received.
2014-08-15 - Third attempt to made to contact Trane for follow up. No response received.
2014-09-30 - Fourth attempt to contact Trane is made. Advisories re-sent. No further correspondence.
2015-05-26 - CERT/CC notified. CERT attempts to establish contact with Trane, but receives no response.
2015-07-13 - Fifth and final attempt to contact Trane is made. Communication is reestablished. Advisories re-sent.
2015-08-19 - Talos follows up with Trane. No patch available.
2015-09-30 - Talos follows up with Trane again. No patch available.
2015-10-19 - Talos follows up with Trane again. No patch available.
2016-01-26 - Talos follows up with Trane again. Trane informs Talos that firmware version 4.0.3 is being released that week which addresses TALOS-2015-028.
2016-01-27 - Trane makes firmware version 4.0.3 available to the public.
2016-02-08 - Talos and CERT/CC disclose these vulnerabilities.

Credit

Discovered by Matt Watchinski and Christopher McBee of Cisco Talos