Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Corrected the link for 5.13.5

This article describes how to handle a possible phishing vulnerability in Nexus Hybrid Access Gateway and Smart ID Digital Access with versions above 5.*. This vulnerability has ID DA-282.

The information in this article is provided as a part of security measures and we urgently request you to upgrade to the either 5.13.5, 6.0.2 or 6.0.4 as well as hotfix these versions with the latest patches.

See the instructions below for the different versions.

Expandall

Expand
titleHybrid Access Gateway 5.13.5

This instruction describes how to resolve a phishing vulnerability in Hybrid Access Gateway 5.13.5.

The needed file can be accessed here: https://support2.nexusgroup.com/Release/files/Nexus%20Hybrid%20Access%20Gateway/SSO%20hotfix%20-%20DA-282/5.13.5//access-point-5.13.5-sso-fix.zip

  1. Move the provided file access-point to the virtual appliance.
  2. ssh into the machine.
  3. Exit from the bash menu and elevate the prompt (use, for example, sudo su - )
  4. Go to /opt/nexus/access-point/bin.
  5. Stop the access point:

    Code Block
    titleStop access point
    /etc/init.d/access-point stop


  6. Copy the current file access-point and save it in a different location.
  7. Remove the file access-point.
  8. Copy the provided file access-point to the folder /opt/nexus/access-point/bin.
  9. Set the correct permissions:

    Code Block
    titleSet permissions
    chown pwuser:pwuser /opt/nexus/access-point/bin/access-point


  10. Start the access point:

    Code Block
    titleStart access point
    /etc/init.d/access-point start


  11. Make sure that everything works and also verify system logs to check for any anomalies.


Expand
titleDigital Access 6.0.2

This instruction describes how to resolve a phishing vulnerability in Digital Access 6.0.2.

The needed file can be accessed here: https://support2.nexusgroup.com/Release/files/Nexus%20Hybrid%20Access%20Gateway/SSO%20hotfix%20-%20DA-282/6.0.2/access-point-6.0.2-sso-fix.tar

  1. Move the provided file access-point-6.0.2-sso-fix.tar to the virtual appliance. 
  2. ssh into the machine.
  3. Exit from the bash menu and elevate the prompt (use, for example, sudo su - )
  4. Stop the access point:

    Code Block
    titleStop access point
    docker exec orchestrator hagcli -s access-point -o stop


  5. Save the current access point as backup:

    Code Block
    titleSave current access point
    docker save crcommondevelopment92007.azurecr.io/smartid-digitalaccess/access-point:6.0.2.26514 -o /home/agadmin/access-point-6.0.2-original.tar


  6. Remove the old image:

    Code Block
    titleRemove old image
    docker image rm -f  crcommondevelopment92007.azurecr.io/smartid-digitalaccess/access-point:6.0.2.26514


  7. Load the new image (assuming it is in /home/agadmin):

    Code Block
    titleLoad new image
    docker load -i /home/agadmin/access-point-6.0.2-sso-fix.tar


  8. Verify that it worked:


    1. Code Block
      titleVerify image
      docker image ls | grep access


    2. This should produce a return output similar to this:

      No Format
      crcommondevelopment92007.azurecr.io/smartid-digitalaccess/access-point           6.0.2.26514         58d0c3e7f973        13 hours ago        495MB


  9. Start the new access point:

    Code Block
    titleStart access point
    docker exec orchestrator hagcli -s access-point -o start


  10. Verify that the access point starts:


    1. Code Block
      titleVerify that access point starts
      docker ps


    2. There should be an entry like this:

      No Format
      d47d2e9943b9        crcommondevelopment92007.azurecr.io/smartid-digitalaccess/access-point:6.0.2.26514           "/run-service.sh"        3 seconds ago       Up 2 seconds (health: starting)                       access-point



Expand
titleDigital Access 6.0.4

This instruction describes how to resolve a phishing vulnerability in Digital Access 6.0.4.

The needed file can be accessed here: https://support2.nexusgroup.com/Release/files/Nexus%20Hybrid%20Access%20Gateway/SSO%20hotfix%20-%20DA-282/6.0.4/access-point-6.0.4-sso-fix.tar

  1. Move the provided file access-point-6.0.4-sso-fix.tar to the virtual appliance. 
  2. ssh into the machine.
  3. Exit from the bash menu and elevate the prompt (use, for example, sudo su - )
  4. Stop the access point:

    Code Block
    titleStop access point
    docker exec orchestrator hagcli -s access-point -o stop


  5. Save the current access point as backup:

    Code Block
    titleSave current access point
    docker save repo.nexusgroup.com/smartid-digitalaccess/access-point:6.0.4.44985 -o /home/agadmin/access-point-6.0.4-original.tar


  6. Remove the old image:

    Code Block
    titleRemove old image
    docker image rm -f  repo.nexusgroup.com/smartid-digitalaccess/access-point:6.0.4.44985


  7. Load the new image (assuming it is in /home/agadmin):

    Code Block
    titleLoad new image
    docker load -i /home/agadmin/access-point-6.0.4-sso-fix.tar


  8. Verify that it worked:


    1. Code Block
      titleVerify image
      docker image ls | grep access


    2. This should produce a return output similar to this:

      No Format
      repo.nexusgroup.com/smartid-digitalaccess/access-point           6.0.4.44985         58d0c3e7f973        13 hours ago        495MB


  9. Start the new access point:

    Code Block
    titleStart access point
    docker exec orchestrator hagcli -s access-point -o start


  10. Verify that the access point starts:


    1. Code Block
      titleVerify that access point starts
      docker ps


    2. There should be an entry like this:

      No Format
      d47d2e9943b9        repo.nexusgroup.com/smartid-digitalaccess/access-point:6.0.4.44985           "/run-service.sh"        3 seconds ago       Up 2 seconds (health: starting)                       access-point