Vulnerability Note VU#236668

Samsung Data Management Server vulnerable to SQL injection

Original Release date: 06 May 2011 | Last revised: 09 May 2011


The Samsung Integrated Management System DMS is used to manage several air conditioning units. The DMS contains a built-in web server that is susceptible to SQL injection attacks.


The DMS application's authentication form can be bypassed with SQL injection attacks. Versions 1.3.3, 1.4.1 and 1.4.2 are reported to be affected. Other versions may also be affected. More details can be found in ICS-CERT's 11-069-01 advisory.


An attacker can bypass authentication and access the web server as an administrative user.


Apply an Update

Samsung has provided a DMS Update Guide explaining how to apply the 1.4.3 patch. The patch and "DMS Updater Plus" application can be found on Samsung's download site.

Restrict Access

Appropriate firewall rules should be implemented to restrict access to only trusted sources.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
SamsungAffected08 Dec 201008 Dec 2010
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Thanks to Josť A. Guasch from for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2010-4284
  • Date Public: 06 May 2011
  • Date First Published: 06 May 2011
  • Date Last Updated: 09 May 2011
  • Document Revision: 23


If you have feedback, comments, or additional information about this vulnerability, please send us email.