Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated links to Nexus download

This article describes how to handle a possible denial of service state in Smart ID Digital Access component with versions 5.13.5 (Hybrid Access Gateway) and 6.0.2 to 6.1.2.

If you are running 6.0.0 or 6.0.1, please contact Digital Access support.

The information in this article is provided as a part of security measures and we urgently request you to apply the patches provided from 6.0.2 versions onwards respectively.

See the instructions below for the different versions. The patches can be found in the support portal.

Expandall

Expand
titleHAG 5.13.5

The needed file can be accessed here: https://support-old.nexusgroup.com/Release/?sub=/Denial%20of%20service%20fix%20-%20DA-798&cat=Nexus%20Smart%20ID%20Digital%20Access%20(HAG)

  1. Move the provided file access-point to the virtual appliance. (5.13.5/access-point)
  2. SSH into the machine.
  3. Exit from the bash menu and elevate the prompt (use, for example, sudo su - )
  4. Go to /opt/nexus/access-point/bin.
  5. Stop the access point:


    Code Block
    titleStop access point
    /etc/init.d/access-point stop


  6. Copy the current file access-point and save it in a different location.
  7. Remove the file access-point.
  8. Copy the provided file access-point to the folder /opt/nexus/access-point/bin.
  9. Set the correct permissions:


    Code Block
    titleSet the correct permissions
    chown pwuser:pwuser /opt/nexus/access-point/bin/access-point


  10. Start the access point:


    Code Block
    titleStart access point
    /etc/init.d/access-point start


  11. Make sure that everything works and also verify system logs to check for any anomalies.


Expand
titleDigital Access 6.0.2, 6.0.3, 6.0.4

The needed files can be accessed here under the respective version: https://support-old.nexusgroup.com/Release/?sub=/Denial%20of%20service%20fix%20-%20DA-798&cat=Nexus%20Smart%20ID%20Digital%20Access%20(HAG)

Note

The steps to replace the access-point image is mentioned for 6.0.2. The same applies to 6.0.3 and 6.0.4 (just replace with respective filenames).


  1. Move the provided file DA-798-6.0.2.tar to the virtual appliance. 
  2. SSH into the machine.
  3. Exit from the bash menu and elevate the prompt (use, for example, sudo su - )
  4. Stop the access point:

    Code Block
    titleStop access point
    docker exec orchestrator hagcli -s access-point -o stop


  5. Saving the existing access point image as backup:

    Check the image name by doing 'sudo docker ps'. The image name will either contain repo names 'crcommondevelopment92007.azurecr.io' OR 'repo.nexusgroup.com' Replace the repo_path accordingly below.

    Code Block
    titleSave current access point
    docker save <repo_path>/smartid-digitalaccess/access-point:6.0.2.26514 -o /home/agadmin/access-point-6.0.2-original.tar


  6. Remove the above image:

    Code Block
    titleRemove old image
    docker image rm -f  <repo_path>/smartid-digitalaccess/access-point:6.0.2.26514


  7. Load the new image (assuming it is in /home/agadmin): 

    Code Block
    titleLoad new image
    docker load -i /home/agadmin/DA-798-6.0.2.tar
    
    // Run the below commands only if the previous image repo_path was repo.nexusgroup.com
    docker image tag crcommondevelopment92007.azurecr.io/smartid-digitalaccess/access-point:6.0.2.26514 repo.nexusgroup.com/smartid-digitalaccess/access-point:6.0.2.26514
    
    docker image rm -f crcommondevelopment92007.azurecr.io/smartid-digitalaccess/access-point:6.0.2.26514


  8. Verify that it worked:


    1. Code Block
      titleVerify image
      docker image ls | grep access


    2. This should produce a return output similar to this:

      No Format
      <repo_path>/smartid-digitalaccess/access-point           6.0.2.26514         58d0c3e7f973        13 hours ago        495MB


  9. Start the new access point:

    Code Block
    titleStart access point
    docker exec orchestrator hagcli -s access-point -o start


  10. Verify that the access point starts:

    Code Block
    titleVerify that access point starts
    docker ps



Expand
titleDigital Access 6.0.5, 6.0.6, 6.0.7, 6.1.0, 6.1.1 and 6.1.2

This instruction describes how to resolve a denial of service vulnerability in Digital Access 6.0.5 and above.

  1. SSH into the machine
  2. Make sure you have an active internet connection. If not then download the access point image from the nexusimages repo manually.

  3. Manually change the image tag for the access point image in /opt/nexus/docker-compose/versiontag.yml as per below table based on version OR upgrade to version 6.1.3 that includes the fix.

    VersionsTags
    6.0.56.0.5.100852
    6.0.66.0.6.100856
    6.0.76.0.7.100712
    6.1.06.1.0.100858
    6.1.16.1.1.100860
    6.1.26.1.2.100866


  4. Restart the services so that all instances of the access points are updated:

    Code Block
    titleRestart all services
    docker stack rm da  					//where da is the deployment stack name
    bash /opt/nexus/scripts/start-all.sh 	// to start the services


  5. Verify the access point version running:

    Code Block
    titleCheck version
    sudo docker ps