CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
89.1%
CVE-2015-2868
An exploitable remote code execution vulnerability exists in the Trane ComfortLink II DSS service. An attacker who can connect to the DSS service on the Trane ComfortLink II device can send an overly long request that can overflow a fixed size stack buffer, resulting in arbitrary code execution.
Trane ComfortLink II - firmware version 2.0.2
The crash below is in the request parsing functionality of the DSS service:
# Crash 1
# data = "A"*200
# s.write("#{data}\r\n")
# Program received signal SIGSEGV, Segmentation fault.
# 0x41414140 in ?? ()
# (gdb) bt
# 0 0x41414140 in ?? ()
# 1 0x00008c38 in iHer_discProParseRequest ()
# 2 0x41414140 in ?? ()
# 3 0x41414140 in ?? ()
The below code is a partially decompiled representation of the iHer_discProParseRequest function:
int __fastcall iHer_discProParseRequest(int a1, const char *a2)
{
int v2; // r8@1
const char *v3; // r7@1
signed int v4; // r6@2
size_t v5; // r4@8
int v6; // r3@12
char s1; // [sp+6h] [bp-4Ah]@1
char s; // [sp+7h] [bp-49h]@1
char v10; // [sp+8h] [bp-48h]@6
char v11; // [sp+9h] [bp-47h]@7
v2 = a1;
v3 = a2;
s1 = 0;
memset(&s, 0, 0x31u);
sscanf(v3, "%s", &s1);
-- snip --
We can see here there is usage of sscanf which is an unsafe function that performs an unbounded copy of user input into a fixed size stack buffer, resulting in a buffer overflow.
2014-04-09 - Initial contact with Trane is established. Advisories delivered.
2014-06-03 - Second attempt to contact Trane for follow up. No response received.
2014-08-15 - Third attempt to made to contact Trane for follow up. No response received.
2014-09-30 - Fourth attempt to contact Trane is made. Advisories re-sent. No further correspondence.
2015-05-26 - CERT/CC notified. CERT attempts to establish contact with Trans, but received no response. 2015-07-13 - Fifth and final attempt to contact Trane is made. Communication is reestablished and advisories re-sent.
2015-08-19 - Talos follows up with Trane. No patch available.
2015-09-30 - Talos follows up with Trane again. No patch available.
2015-10-19 - Talos follows up with Trane again. No patch available.
2016-01-26 - Talos follows up with Trane again. Trane informs Talos that firmware version 4.0.3 is being released that week which addressesTALOS-2015-028.
2016-01-27 - Trane makes firmware version 4.0.3 available to the public.
2016-02-08 - Talos and CERT/CC disclose these vulnerabilities.
Discovered by Matt Watchinski and Christopher McBee of Cisco Talos
Vulnerability Reports Next Report
TALOS-2016-0027
Previous Report
TALOS-2016-0061
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
89.1%