CVE-2021-38448 - OpenCVE

The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Trane	Ascend Air-cooled Chiller Acr Intellipak 1 Intellipak 2 Odyssey Split Systems Symbio 700 Symbio 800

Configuration 1 [-]

AND

cpe:2.3:h:trane:odyssey_split_systems:-:*:*:*:*:*:*:*

cpe:2.3:a:trane:symbio_700:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:h:trane:intellipak_1:-:*:*:*:*:*:*:*

cpe:2.3:a:trane:symbio_800:*:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:h:trane:intellipak_2:-:*:*:*:*:*:*:*

cpe:2.3:a:trane:symbio_800:*:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:h:trane:ascend_air-cooled_chiller_acr:-:*:*:*:*:*:*:*

cpe:2.3:a:trane:symbio_800:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2021-11-22T18:58:45

Updated: 2024-08-04T01:44:22.375Z

Reserved: 2021-08-10T00:00:00

Link: CVE-2021-38448

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-11-22T19:15:07.907

Modified: 2022-05-10T12:29:11.863

Link: CVE-2021-38448

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Symbio", "vendor": "Trane", "versions": [{"lessThan": "1.00.0023", "status": "affected", "version": "700", "versionType": "custom"}, {"lessThan": "1.00.0007", "status": "affected", "version": "800", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Trane reported this vulnerability to CISA."}], "descriptions": [{"lang": "en", "value": "The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-22T18:58:45", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01"}], "solutions": [{"lang": "en", "value": "Affected users should contact a Trane representative to install updated firmware or request additional information. Please reference Trane service database number HUB-205962 when contacting the Trane office.\nTrane has identified the following specific mitigations:\n\nSymbio 700 controllers: Upgrade to v1.00.0023 or later\nSymbio 800 controllers: Upgrade to v1.00.0007 or later\nIn addition to the specific recommendations above, Trane continues to recommend the following best practices as an additional protection against this and other controller vulnerabilities:\n\nRestrict physical controller access to trained and trusted personnel.\nUse secure remote access solutions, such as Trane Connect Remote Access, when needed.\nEnsure user credentials are not shared and follow best practices for appropriate complexity (e.g., strong passwords).\nHave a well-documented process and owner to ensure regular software/firmware updates and keep systems up to date."}], "source": {"advisory": "ICSA-21-266-01", "discovery": "UNKNOWN"}, "title": "Trane Symbio Improper Control of Generation of Code", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2021-38448", "STATE": "PUBLIC", "TITLE": "Trane Symbio Improper Control of Generation of Code"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Symbio", "version": {"version_data": [{"version_affected": "<", "version_name": "700", "version_value": "1.00.0023"}, {"version_affected": "<", "version_name": "800", "version_value": "1.00.0007"}]}}]}, "vendor_name": "Trane"}]}}, "credit": [{"lang": "eng", "value": "Trane reported this vulnerability to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01", "refsource": "CONFIRM", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01"}]}, "solution": [{"lang": "en", "value": "Affected users should contact a Trane representative to install updated firmware or request additional information. Please reference Trane service database number HUB-205962 when contacting the Trane office.\nTrane has identified the following specific mitigations:\n\nSymbio 700 controllers: Upgrade to v1.00.0023 or later\nSymbio 800 controllers: Upgrade to v1.00.0007 or later\nIn addition to the specific recommendations above, Trane continues to recommend the following best practices as an additional protection against this and other controller vulnerabilities:\n\nRestrict physical controller access to trained and trusted personnel.\nUse secure remote access solutions, such as Trane Connect Remote Access, when needed.\nEnsure user credentials are not shared and follow best practices for appropriate complexity (e.g., strong passwords).\nHave a well-documented process and owner to ensure regular software/firmware updates and keep systems up to date."}], "source": {"advisory": "ICSA-21-266-01", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:44:22.375Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-38448", "datePublished": "2021-11-22T18:58:45", "dateReserved": "2021-08-10T00:00:00", "dateUpdated": "2024-08-04T01:44:22.375Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:trane:odyssey_split_systems:-:*:*:*:*:*:*:*", "matchCriteriaId": "556BC352-FA31-4D53-A325-749B58BAEC21", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:trane:symbio_700:*:*:*:*:*:*:*:*", "matchCriteriaId": "185B1B67-EDFA-4837-BBBE-C9CDBBA277FA", "versionEndExcluding": "1.00.0023", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:trane:intellipak_1:-:*:*:*:*:*:*:*", "matchCriteriaId": "D32A51A1-7DA9-4D73-8AE3-77B518FED0B6", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:trane:symbio_800:*:*:*:*:*:*:*:*", "matchCriteriaId": "1DC18ED0-563B-4339-A9F5-92F495ECAA05", "versionEndExcluding": "1.30.0008", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:trane:intellipak_2:-:*:*:*:*:*:*:*", "matchCriteriaId": "94E12E4E-F010-4180-A2AF-9AEAA11912AC", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:trane:symbio_800:*:*:*:*:*:*:*:*", "matchCriteriaId": "1DC18ED0-563B-4339-A9F5-92F495ECAA05", "versionEndExcluding": "1.30.0008", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:trane:ascend_air-cooled_chiller_acr:-:*:*:*:*:*:*:*", "matchCriteriaId": "6DBA5401-0E36-4B3B-9B2F-997594641CE0", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:trane:symbio_800:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2B1D4A2-7DB5-4849-8F0A-306EFF5F0198", "versionEndExcluding": "1.10.0010", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software."}, {"lang": "es", "value": "Los controladores afectados no sanean adecuadamente la entrada que contiene la sintaxis del c\u00f3digo. Como resultado, un atacante podr\u00eda dise\u00f1ar c\u00f3digo para alterar el flujo de controladores previsto del software"}], "id": "CVE-2021-38448", "lastModified": "2022-05-10T12:29:11.863", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 6.0, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2021-11-22T19:15:07.907", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}