All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
This updated website posting provides new information regarding Samsung’s process for acquiring the updated software to mitigate the reported vulnerability.
José A. Guasch,a reported a SQL injection vulnerability in the Samsung Data Management Server (DMS). Samsung has released an update and ICS-CERT has verified that the software update corrects the vulnerability.
Version 1.4.2 and all earlier versions are affected by this vulnerability.
The Samsung DMS is designed to automate building environment control and is used primarily by schools and other public organizations, which typically install multiple air conditioning units in their buildings.
The Samsung Integrated Management System DMS is used to manage multiple air conditioning units in large public buildings. This product has been widely deployed in approximately 15 countries, including Korea, various European countries, China, and the United States.
The DMS system includes an integrated web server with an application used to control multiple air conditioning systems from a centralized management console. The DMS web interface is vulnerable to a SQL injection attack, which allows an attacker to bypass authentication and access the web server as an administrative user.
An unprotected DMS system can be remotely exploited through a SQL injection attack.
Existence of Exploit
No exploits are known that target this vulnerability.
An attacker with low to moderate skill can exploit this vulnerability using publicly available Internet search engines to identify vulnerable systems. An attacker can bypass authentication and gain administrative privileges using uncomplicated SQL injection techniques.
Samsung has released an updated version of the DMS software to address this vulnerability.
ICS-CERT and Samsung recommend that DMS users implement the following mitigation steps:
--------- Begin Update B Part 1 of 1 ----------
- Contact Samsung via the e-mail address that is posted at the following Internet address: http://www.dvmcare.com/SRM/dms/download.html.
- Samsung will then either update the DMS installation remotely or dispatch a Samsung service engineer directly to the installation site to apply the patch, depending on customer preference.
---------- End Update B Part 1 of 1 ----------
- Download and apply the DMS Update Plus.
- Implement firewall rules to limit network access to the DMS system on Port 80/TCP.
ICS-CERT encourages asset owners to minimize network exposure for all control system devices. Critical devices should not directly face the Internet. Locate control system networks and remote devices behind firewalls and isolated from the business network. When remote access is required, use secure methods such as Virtual Private Networks (VPNs).
Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking
The Control System Security Program also provides a recommended practices section for control systems on the US-CERT website. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
For any questions related to this report, please contact the CISA at:
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.
Please share your thoughts.
We recently updated our anonymous product survey; we'd welcome your feedback.