OTPulse
FeedAboutContact

Trane Symbio (Update B)

Plan Patch7.5ICS-CERT ICSA-21-266-01Sep 23, 2021
Attack VectorPhysical
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Trane Symbio 700 and Symbio 800 controllers contain an arbitrary code execution vulnerability (CWE-94) that allows code injection when an attacker has physical access to the device. Affected products include Odyssey Split Systems (all versions < 1.00.0023), IntelliPak Rooftop Air Conditioner (all versions < 1.30.0008), Ascend Air-Cooled Chiller Model ACR (all versions < 1.10.0010), and Agility Water-Cooled Chiller Model HDWA (all versions < 1.00.0010). Successful exploitation allows arbitrary code execution on the controller, potentially enabling process manipulation or system shutdown. This vulnerability is not remotely exploitable and requires physical access to the device.

What this means
What could happen
An attacker with physical access to a Trane HVAC/chiller controller could execute arbitrary code and modify setpoints, disable cooling systems, or disrupt building comfort and operational processes.
Who's at risk
Water utilities and facilities managers operating Trane Symbio 700 and Symbio 800 equipment, including Odyssey Split Systems, IntelliPak Rooftop Air Conditioners, Ascend Air-Cooled Chillers, and Agility Water-Cooled Chillers. This affects building HVAC and cooling systems critical to facility operations.
How it could be exploited
An attacker must have physical access to the controller itself. Once physically connected, they could upload malicious firmware or code to take control of the device. No network access is required.
Prerequisites
  • Physical access to the controller
  • No authentication required once physical access is obtained
Physical access required (lower network risk)Low complexity exploitation if physical access obtainedNo patch available for some productsAffects comfort and operational cooling systems
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
Odyssey Split Systems: All< 1.00.00231.00.0023
IntelliPak Rooftop Air Conditioner: All< 1.30.00081.30.0008
Ascend Air-Cooled Chiller Model ACR: All< 1.10.00101.10.0010
Agility Water-Cooled Chiller Model HDWA: All< 1.00.00101.00.0010
Remediation & Mitigation
0/8
Do now
0/2
HARDENINGRestrict physical controller access to trained and trusted personnel only
HARDENINGEnforce strong password policies and ensure credentials are not shared among users
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Odyssey Split Systems to firmware version 1.00.0023 or later
HOTFIXUpdate IntelliPak Rooftop Air Conditioner to firmware version 1.30.0008 or later
HOTFIXUpdate Ascend Air-Cooled Chiller Model ACR to firmware version 1.10.0010 or later
HOTFIXUpdate Agility Water-Cooled Chiller Model HDWA to firmware version 1.00.0010 or later
Long-term hardening
0/2
HARDENINGUse Trane Connect Remote Access or other secure remote access solutions instead of direct network access to controllers
HARDENINGIsolate HVAC/chiller control system networks from the business network using firewalls
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/1b9768a4-5681-45f3-8ba7-95524040b1b5
Trane Symbio (Update B) | CVSS 7.5 - OTPulse