Nexus Documentation
Nexus Documentation
Breadcrumbs

Resolve a phishing vulnerability in Hybrid Access Gateway and Digital Access

This article describes how to handle a possible phishing vulnerability in Nexus Hybrid Access Gateway and Smart ID Digital Access with versions above 5.*. This vulnerability has ID DA-282.

The information in this article is provided as a part of security measures and we urgently request you to apply the patches provided for 5.13.0 to 5.13.5, 6.0.2 and 6.0.4 versions respectively.

See the instructions below for the different versions.

Hybrid Access Gateway 5.13.0 to 5.13.5

This instruction describes how to resolve a phishing vulnerability in Hybrid Access Gateway 5.13.0 to 5.13.5.

The needed file can be accessed here: https://support2.nexusgroup.com/Release/?sub=/SSO%20Vulnerability%20fix%20-%20DA-282/5.13.5%20and%20earlier&cat=Nexus%20Hybrid%20Access%20Gateway

  1. Move the provided file access-point to the virtual appliance.

  2. ssh into the machine.

  3. Exit from the bash menu and elevate the prompt (use, for example, sudo su - )

  4. Go to /opt/nexus/access-point/bin.

  5. Stop the access point:

    /etc/init.d/access-point stop


  6. Copy the current file access-point and save it in a different location.

  7. Remove the file access-point.

  8. Copy the provided file access-point to the folder /opt/nexus/access-point/bin.

  9. Set the correct permissions:

    chown pwuser:pwuser /opt/nexus/access-point/bin/access-point


  10. Start the access point:

    /etc/init.d/access-point start


  11. Make sure that everything works and also verify system logs to check for any anomalies.


Digital Access 6.0.2

This instruction describes how to resolve a phishing vulnerability in Digital Access 6.0.2.

The needed file can be accessed here: https://support2.nexusgroup.com/Release/?sub=/SSO%20Vulnerability%20fix%20-%20DA-282/6.0.2&cat=Nexus%20Hybrid%20Access%20Gateway

  1. Move the provided file access-point-6.0.2-sso-fix.tar to the virtual appliance. 

  2. ssh into the machine.

  3. Exit from the bash menu and elevate the prompt (use, for example, sudo su - )

  4. Stop the access point:

    docker exec orchestrator hagcli -s access-point -o stop


  5. Save the current access point as backup:

    docker save repo.nexusgroup.com/smartid-digitalaccess/access-point:6.0.2.26514 -o /home/agadmin/access-point-6.0.2-original.tar


  6. Remove the old image:

    docker image rm -f  repo.nexusgroup.com/smartid-digitalaccess/access-point:6.0.2.26514


  7. Load the new image (assuming it is in /home/agadmin):

    docker load -i /home/agadmin/access-point-6.0.2-sso-fix.tar


  8. Verify that it worked:


    1. docker image ls | grep access


    2. This should produce a return output similar to this:

      repo.nexusgroup.com/smartid-digitalaccess/access-point 6.0.2.26514 58d0c3e7f973 13 hours ago 495MB


  9. Start the new access point:

    docker exec orchestrator hagcli -s access-point -o start


  10. Verify that the access point starts:


    1. docker ps


    2. There should be an entry like this:

      d47d2e9943b9 repo.nexusgroup.com/smartid-digitalaccess/access-point:6.0.2.26514 "/run-service.sh" 3 seconds ago Up 2 seconds (health: starting) access-point



Digital Access 6.0.3 and 6.0.4

This instruction describes how to resolve a phishing vulnerability in Digital Access 6.0.3 and 6.0.4.

  1. Move the provided file access-point-6.0.4-sso-fix.tar or access-point-6.0.3-sso-fix.tar to the virtual appliance. 

  2. ssh into the machine.

  3. Exit from the bash menu and elevate the prompt (use, for example, sudo su - )

  4. Stop the access point:

    docker exec orchestrator hagcli -s access-point -o stop


  5. Save the current access point as backup:

    docker save repo.nexusgroup.com/smartid-digitalaccess/access-point:6.0.4.44985 -o /home/agadmin/access-point-6.0.4-original.tar


  6. Remove the old image:

    docker image rm -f  repo.nexusgroup.com/smartid-digitalaccess/access-point:6.0.4.44985


  7. Load the new image (assuming it is in /home/agadmin):

    docker load -i /home/agadmin/access-point-6.0.4-sso-fix.tar


  8. Verify that it worked:


    1. docker image ls | grep access


    2. This should produce a return output similar to this:

      repo.nexusgroup.com/smartid-digitalaccess/access-point 6.0.4.44985 58d0c3e7f973 13 hours ago 495MB


  9. Start the new access point:

    docker exec orchestrator hagcli -s access-point -o start


  10. Verify that the access point starts:


    1. docker ps


    2. There should be an entry like this:

      d47d2e9943b9 repo.nexusgroup.com/smartid-digitalaccess/access-point:6.0.4.44985 "/run-service.sh" 3 seconds ago Up 2 seconds (health: starting) access-point


Related information