CVE-2021-38448 (GCVE-0-2021-38448)

Vulnerability from cvelistv5 – Published: 2021-11-22 18:58 – Updated: 2024-08-04 01:44
VLAI?
Title
Trane Symbio Improper Control of Generation of Code
Summary
The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software.
Severity ?
7.5 (High)
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
CWE
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
Vendor Product Version
Trane Symbio Affected: 700 , < 1.00.0023 (custom)
Affected: 800 , < 1.00.0007 (custom)
Create a notification for this product.
Credits
Trane reported this vulnerability to CISA.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:44:22.375Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Symbio",
          "vendor": "Trane",
          "versions": [
            {
              "lessThan": "1.00.0023",
              "status": "affected",
              "version": "700",
              "versionType": "custom"
            },
            {
              "lessThan": "1.00.0007",
              "status": "affected",
              "version": "800",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Trane reported this vulnerability to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-22T18:58:45",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Affected users should contact a Trane representative to install updated firmware or request additional information. Please reference Trane service database number HUB-205962 when contacting the Trane office.\nTrane has identified the following specific mitigations:\n\nSymbio 700 controllers: Upgrade to v1.00.0023 or later\nSymbio 800 controllers: Upgrade to v1.00.0007 or later\nIn addition to the specific recommendations above, Trane continues to recommend the following best practices as an additional protection against this and other controller vulnerabilities:\n\nRestrict physical controller access to trained and trusted personnel.\nUse secure remote access solutions, such as Trane Connect Remote Access, when needed.\nEnsure user credentials are not shared and follow best practices for appropriate complexity (e.g., strong passwords).\nHave a well-documented process and owner to ensure regular software/firmware updates and keep systems up to date."
        }
      ],
      "source": {
        "advisory": "ICSA-21-266-01",
        "discovery": "UNKNOWN"
      },
      "title": "Trane Symbio Improper Control of Generation of Code",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2021-38448",
          "STATE": "PUBLIC",
          "TITLE": "Trane Symbio Improper Control of Generation of Code"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Symbio",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "700",
                            "version_value": "1.00.0023"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "800",
                            "version_value": "1.00.0007"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Trane"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Trane reported this vulnerability to CISA."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01",
              "refsource": "CONFIRM",
              "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Affected users should contact a Trane representative to install updated firmware or request additional information. Please reference Trane service database number HUB-205962 when contacting the Trane office.\nTrane has identified the following specific mitigations:\n\nSymbio 700 controllers: Upgrade to v1.00.0023 or later\nSymbio 800 controllers: Upgrade to v1.00.0007 or later\nIn addition to the specific recommendations above, Trane continues to recommend the following best practices as an additional protection against this and other controller vulnerabilities:\n\nRestrict physical controller access to trained and trusted personnel.\nUse secure remote access solutions, such as Trane Connect Remote Access, when needed.\nEnsure user credentials are not shared and follow best practices for appropriate complexity (e.g., strong passwords).\nHave a well-documented process and owner to ensure regular software/firmware updates and keep systems up to date."
          }
        ],
        "source": {
          "advisory": "ICSA-21-266-01",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2021-38448",
    "datePublished": "2021-11-22T18:58:45",
    "dateReserved": "2021-08-10T00:00:00",
    "dateUpdated": "2024-08-04T01:44:22.375Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:trane:symbio_700:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.00.0023\", \"matchCriteriaId\": \"185B1B67-EDFA-4837-BBBE-C9CDBBA277FA\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:trane:odyssey_split_systems:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"556BC352-FA31-4D53-A325-749B58BAEC21\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:trane:symbio_800:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.30.0008\", \"matchCriteriaId\": \"1DC18ED0-563B-4339-A9F5-92F495ECAA05\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:trane:intellipak_1:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D32A51A1-7DA9-4D73-8AE3-77B518FED0B6\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:trane:symbio_800:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.30.0008\", \"matchCriteriaId\": \"1DC18ED0-563B-4339-A9F5-92F495ECAA05\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:trane:intellipak_2:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"94E12E4E-F010-4180-A2AF-9AEAA11912AC\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:trane:symbio_800:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.10.0010\", \"matchCriteriaId\": \"A2B1D4A2-7DB5-4849-8F0A-306EFF5F0198\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:trane:ascend_air-cooled_chiller_acr:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6DBA5401-0E36-4B3B-9B2F-997594641CE0\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software.\"}, {\"lang\": \"es\", \"value\": \"Los controladores afectados no sanean adecuadamente la entrada que contiene la sintaxis del c\\u00f3digo. Como resultado, un atacante podr\\u00eda dise\\u00f1ar c\\u00f3digo para alterar el flujo de controladores previsto del software\"}]",
      "id": "CVE-2021-38448",
      "lastModified": "2024-11-21T06:17:07.353",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"PHYSICAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 0.9, \"impactScore\": 6.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 7.6, \"baseSeverity\": \"HIGH\", \"attackVector\": \"PHYSICAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 0.9, \"impactScore\": 6.0}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 4.6, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 3.9, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-11-22T19:15:07.907",
      "references": "[{\"url\": \"https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Mitigation\", \"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Third Party Advisory\", \"US Government Resource\"]}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-94\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-38448\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2021-11-22T19:15:07.907\",\"lastModified\":\"2024-11-21T06:17:07.353\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software.\"},{\"lang\":\"es\",\"value\":\"Los controladores afectados no sanean adecuadamente la entrada que contiene la sintaxis del c\u00f3digo. Como resultado, un atacante podr\u00eda dise\u00f1ar c\u00f3digo para alterar el flujo de controladores previsto del software\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.9,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":7.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.9,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":4.6,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.9,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:trane:symbio_700:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.00.0023\",\"matchCriteriaId\":\"185B1B67-EDFA-4837-BBBE-C9CDBBA277FA\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:trane:odyssey_split_systems:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"556BC352-FA31-4D53-A325-749B58BAEC21\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:trane:symbio_800:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.30.0008\",\"matchCriteriaId\":\"1DC18ED0-563B-4339-A9F5-92F495ECAA05\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:trane:intellipak_1:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D32A51A1-7DA9-4D73-8AE3-77B518FED0B6\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:trane:symbio_800:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.30.0008\",\"matchCriteriaId\":\"1DC18ED0-563B-4339-A9F5-92F495ECAA05\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:trane:intellipak_2:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"94E12E4E-F010-4180-A2AF-9AEAA11912AC\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:trane:symbio_800:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.10.0010\",\"matchCriteriaId\":\"A2B1D4A2-7DB5-4849-8F0A-306EFF5F0198\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:trane:ascend_air-cooled_chiller_acr:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6DBA5401-0E36-4B3B-9B2F-997594641CE0\"}]}]}],\"references\":[{\"url\":\"https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Mitigation\",\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\",\"US Government Resource\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.