cbcvebase.
CVE-2015-2868
published 2017-01-06

CVE-2015-2868: An exploitable remote code execution vulnerability exists in the Trane ComfortLink II firmware version 2.0.2 in DSS service. An attacker who can connect to the…

PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
6.84%
93.2th percentile
An exploitable remote code execution vulnerability exists in the Trane ComfortLink II firmware version 2.0.2 in DSS service. An attacker who can connect to the DSS service on the Trane ComfortLink II device can send an overly long REG request that can overflow a fixed size stack buffer, resulting in arbitrary code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
tranecomfortlink_ii_firmware
tranecomfortlink_ii_scc_firmware

Detection & IOCsextracted from sources · hover to see the quote

commandREG (overly long request to DSS service)
versionTrane ComfortLink II firmware 2.0.2
  • Detect oversized requests sent to the Trane ComfortLink II DSS service; the vulnerability is triggered by overly long requests (e.g., REG) that overflow a fixed-size stack buffer — monitor for abnormally large DSS service payloads.
  • Two distinct code paths are exploitable under CVE-2015-2868 (TALOS-2016-0026 and TALOS-2016-0027); detection rules should cover both separate request paths to the DSS service.
  • A Metasploit module exists for CVE-2015-2868; monitor for Metasploit-generated exploit traffic targeting the Trane ComfortLink II DSS service.
  • Block or alert on SSH traffic to/from Trane ComfortLink II thermostats as a compensating control, particularly for devices that cannot be updated.
  • ·CVE-2015-2868 covers two distinct vulnerabilities (TALOS-2016-0026 and TALOS-2016-0027) following separate code paths in the DSS service; a single CVE identifier should not be assumed to represent a single exploit path.
  • ·The vulnerability was confirmed on firmware version 2.0.2; devices running firmware 4.0.3 or later are patched, but unpatched devices may still be in the field due to lack of vendor advisory communication.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.