Skip to main content
Skip table of contents

Resolve a vulnerability in Digital Access that can result in a Denial of service

This article describes how to handle a possible denial of service state in Smart ID Digital Access component with versions 5.13.5 (Hybrid Access Gateway) and 6.0.2 to 6.1.2.

If you are running 6.0.0 or 6.0.1, please contact Digital Access support.

The information in this article is provided as a part of security measures and we urgently request you to apply the patches provided from 6.0.2 versions onwards respectively.

See the instructions below for the different versions. The patches can be found in the support portal.

HAG 5.13.5

The needed file can be accessed here: https://support-old.nexusgroup.com/Release/?sub=/Denial%20of%20service%20fix%20-%20DA-798&cat=Nexus%20Smart%20ID%20Digital%20Access%20(HAG)

  1. Move the provided file access-point to the virtual appliance. (5.13.5/access-point)
  2. SSH into the machine.
  3. Exit from the bash menu and elevate the prompt (use, for example, sudo su - )
  4. Go to /opt/nexus/access-point/bin.

  5. Stop the access point:

    Stop access point

    CODE 
    /etc/init.d/access-point stop
  6. Copy the current file access-point and save it in a different location.
  7. Remove the file access-point.
  8. Copy the provided file access-point to the folder /opt/nexus/access-point/bin.

  9. Set the correct permissions:

    Set the correct permissions

    CODE 
    chown pwuser:pwuser /opt/nexus/access-point/bin/access-point
  10. Start the access point:

    Start access point

    CODE 
    /etc/init.d/access-point start
  11. Make sure that everything works and also verify system logs to check for any anomalies.
Digital Access 6.0.2, 6.0.3, 6.0.4

The needed files can be accessed here under the respective version: https://support-old.nexusgroup.com/Release/?sub=/Denial%20of%20service%20fix%20-%20DA-798&cat=Nexus%20Smart%20ID%20Digital%20Access%20(HAG)

The steps to replace the access-point image is mentioned for 6.0.2. The same applies to 6.0.3 and 6.0.4 (just replace with respective filenames).


  1. Move the provided file DA-798-6.0.2.tar to the virtual appliance. 
  2. SSH into the machine.
  3. Exit from the bash menu and elevate the prompt (use, for example, sudo su - )

  4. Stop the access point:

    Stop access point

    CODE 
    docker exec orchestrator hagcli -s access-point -o stop

  5. Saving the existing access point image as backup:

    Check the image name by doing 'sudo docker ps'. The image name will either contain repo names 'crcommondevelopment92007.azurecr.io' OR 'repo.nexusgroup.com' Replace the repo_path accordingly below.

    Save current access point

    CODE 
    docker save <repo_path>/smartid-digitalaccess/access-point:6.0.2.26514 -o /home/agadmin/access-point-6.0.2-original.tar

  6. Remove the above image:

    Remove old image

    CODE 
    docker image rm -f  <repo_path>/smartid-digitalaccess/access-point:6.0.2.26514

  7. Load the new image (assuming it is in /home/agadmin): 

    Load new image

    CODE 
    docker load -i /home/agadmin/DA-798-6.0.2.tar

// Run the below commands only if the previous image repo_path was repo.nexusgroup.com
docker image tag crcommondevelopment92007.azurecr.io/smartid-digitalaccess/access-point:6.0.2.26514 repo.nexusgroup.com/smartid-digitalaccess/access-point:6.0.2.26514

docker image rm -f crcommondevelopment92007.azurecr.io/smartid-digitalaccess/access-point:6.0.2.26514

  8. Verify that it worked:

    1. Verify image

      CODE 
      docker image ls | grep access

    2. This should produce a return output similar to this:

      <repo_path>/smartid-digitalaccess/access-point           6.0.2.26514         58d0c3e7f973        13 hours ago        495MB

  9. Start the new access point:

    Start access point

    CODE 
    docker exec orchestrator hagcli -s access-point -o start

  10. Verify that the access point starts:

    Verify that access point starts

    CODE 
    docker ps
Digital Access 6.0.5, 6.0.6, 6.0.7, 6.1.0, 6.1.1 and 6.1.2

This instruction describes how to resolve a denial of service vulnerability in Digital Access 6.0.5 and above.

  1. SSH into the machine

  2. Make sure you have an active internet connection. If not then download the access point image from the nexusimages repo manually.

  3. Manually change the image tag for the access point image in /opt/nexus/docker-compose/versiontag.yml as per below table based on version OR upgrade to version 6.1.3 that includes the fix.

    VersionsTags
    6.0.56.0.5.100852
    6.0.66.0.6.100856
    6.0.76.0.7.100712
    6.1.06.1.0.100858
    6.1.16.1.1.100860
    6.1.26.1.2.100866

  4. Restart the services so that all instances of the access points are updated:

    Restart all services

    CODE 
    docker stack rm da  					//where da is the deployment stack name
bash /opt/nexus/scripts/start-all.sh 	// to start the services

  5. Verify the access point version running:

    Check version

    CODE 
    sudo docker ps
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close