Samsung Data Management Server (Update B)

Overview

This updated website posting provides new information regarding Samsung’s process for acquiring the updated software to mitigate the reported vulnerability.

José A. Guasch,http://www.SecurityByDefault.com reported a SQL injection vulnerability in the Samsung Data Management Server (DMS). Samsung has released an update and ICS-CERT has verified that the software update corrects the vulnerability.

Affected Products

Version 1.4.2 and all earlier versions are affected by this vulnerability.

Impact

The Samsung DMS is designed to automate building environment control and is used primarily by schools and other public organizations, which typically install multiple air conditioning units in their buildings.

Background

The Samsung Integrated Management System DMS is used to manage multiple air conditioning units in large public buildings. This product has been widely deployed in approximately 15 countries, including Korea, various European countries, China, and the United States.

Vulnerability Characterization

Vulnerability Overview

The DMS system includes an integrated web server with an application used to control multiple air conditioning systems from a centralized management console. The DMS web interface is vulnerable to a SQL injection attack, which allows an attacker to bypass authentication and access the web server as an administrative user.

Vulnerability Details

Exploitability

An unprotected DMS system can be remotely exploited through a SQL injection attack.

Existence of Exploit

No exploits are known that target this vulnerability.

Difficulty

An attacker with low to moderate skill can exploit this vulnerability using publicly available Internet search engines to identify vulnerable systems. An attacker can bypass authentication and gain administrative privileges using uncomplicated SQL injection techniques.

Mitigation

Samsung has released an updated version of the DMS software to address this vulnerability.

ICS-CERT and Samsung recommend that DMS users implement the following mitigation steps:

--------- Begin Update B Part 1 of 1 ----------

1. Contact Samsung via the e-mail address that is posted at the following Internet address: http://www.dvmcare.com/SRM/dms/download.html.
2. Samsung will then either update the DMS installation remotely or dispatch a Samsung service engineer directly to the installation site to apply the patch, depending on customer preference.

---------- End Update B Part 1 of 1 ----------

3. Download and apply the DMS Update Plus.
4. Implement firewall rules to limit network access to the DMS system on Port 80/TCP.

ICS-CERT encourages asset owners to minimize network exposure for all control system devices. Critical devices should not directly face the Internet. Locate control system networks and remote devices behind firewalls and isolated from the business network. When remote access is required, use secure methods such as Virtual Private Networks (VPNs).

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking
defensive measures.

The Control System Security Program also provides a recommended practices section for control systems on the US-CERT website. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.