Trustwave SpiderLabs Security Advisory TWSL2016-014: Vulnerabilities in ComfortLink™ II XL850 Published: 08/11/2016 Version: 1.0 Vendor: TRANE https://www.trane.com/residential Product: ComfortLink™ II XL850 Version affected: 3.0 (r850_144040426701) and prior Product description: The Comfort link xl850 is a WiFi and ZWave enabled thermostat. It communicates with the Nexia home intelligence cloud service and supports remote administration and environment control. Finding: The Message Processing Service on port 9999 allows remote attackers to authenticate and gain control over the device due to hardcoded access credentials and a weak authentication mechanism. This service allows access to environmental commands and sensors as well as enabling remote SSH and additional control services. *****Credit: Jeff Kitson of Trustwave ComfortLink XL850 Communicating thermostats are vulnerable to remote attackers due to hardcoded credentials and a weak authentication mechanism in the systems message processing service. The ability to authenticate with this service allows attackers to execute privileged system commands. The system is particularly vulnerable within a local network but is still highly vulnerable to remote attackers. Proof-of-concept code is available at https://github.com/JeffKitson/Tranewreck_tools. These tools should only be used on devices you are legally authorized to test. Remediation Steps: Network connected thermostats will automatically receive the firmware update. Consumers with thermostats that are not connected to the network should reach out to Trane support for alternative update methods. Revision History: 03/30/2016: Initial email outreach to Vendor. No response. 04/13/2016: Second outreach attempt using Vendor web contact form. No response. 04/22/2016: Third outreach attempt via email to Vendor and Vendor’s parent company. No response. 05/18/2016: Call placed to Vendor support line and to a local Vendor distributor. Response lacking. No acceptance of the vulnerability. 06/07/2016: Vendor reached. Vulnerability details resent and receipt confirmed. 06/20/2016: No additional information received. Intention to disclose on 23.June.2016 sent to Vendor. 06/21/2016: Vendor patch timeline accepted and extension issued. 06/24/2016: Additional agreed upon changes made by Vendor to accept future 3rd party disclosures. 07/13/2016: Patch released by Vendor 08/04/2016: Vulnerability disclosed 08/11/2016: Advisory published References 1. https://www.trane.com/residential 2. https://www.trane.com/content/dam/Trane/residential/downloads/r850_144040426701.tar 3. https://github.com/JeffKitson/Tranewreck_tools About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risks. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs while safely embracing business imperatives including big data, BYOD and social media. More than 2.5 million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective data protection, risk management and threat intelligence. Trustwave is a privately held company, headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.