search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Samsung Data Management Server vulnerable to SQL injection

Vulnerability Note VU#236668

Original Release Date: 2011-05-06 | Last Revised: 2011-05-09

Overview

The Samsung Integrated Management System DMS is used to manage several air conditioning units. The DMS contains a built-in web server that is susceptible to SQL injection attacks.

Description

The DMS application's authentication form can be bypassed with SQL injection attacks. Versions 1.3.3, 1.4.1 and 1.4.2 are reported to be affected. Other versions may also be affected. More details can be found in ICS-CERT's 11-069-01 advisory.

Impact

An attacker can bypass authentication and access the web server as an administrative user.

Solution

Apply an Update

Samsung has provided a DMS Update Guide explaining how to apply the 1.4.3 patch. The patch and "DMS Updater Plus" application can be found on Samsung's download site.

Restrict Access

Appropriate firewall rules should be implemented to restrict access to only trusted sources.

Vendor Information

236668
 
Affected   Unknown   Unaffected

Samsung

Notified:  December 08, 2010 Updated:  December 08, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to José A. Guasch from SecurityByDefault.com for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2010-4284
Date Public: 2011-05-06
Date First Published: 2011-05-06
Date Last Updated: 2011-05-09 16:22 UTC
Document Revision: 23

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.