Vulnerability Note VU#236668

Samsung Data Management Server vulnerable to SQL injection

Original Release date: 06 May 2011 | Last revised: 09 May 2011

Overview

The Samsung Integrated Management System DMS is used to manage several air conditioning units. The DMS contains a built-in web server that is susceptible to SQL injection attacks.

Description

The DMS application's authentication form can be bypassed with SQL injection attacks. Versions 1.3.3, 1.4.1 and 1.4.2 are reported to be affected. Other versions may also be affected. More details can be found in ICS-CERT's 11-069-01 advisory.

Impact

An attacker can bypass authentication and access the web server as an administrative user.

Solution

Apply an Update

Samsung has provided a DMS Update Guide explaining how to apply the 1.4.3 patch. The patch and "DMS Updater Plus" application can be found on Samsung's download site.

Restrict Access

Appropriate firewall rules should be implemented to restrict access to only trusted sources.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
SamsungAffected08 Dec 201008 Dec 2010
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Josť A. Guasch from SecurityByDefault.com for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2010-4284
  • Date Public: 06 May 2011
  • Date First Published: 06 May 2011
  • Date Last Updated: 09 May 2011
  • Document Revision: 23

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.