This article describes how to handle a possible denial of service state in Smart ID Digital Access component with versions 5.13.5 (Hybrid Access Gateway) and 6.0.2 to 6.1.2.
If you are running 6.0.0 or 6.0.1, please contact Digital Access support.
The information in this article is provided as a part of security measures and we urgently request you to apply the patches provided from 6.0.2 versions onwards respectively.
See the instructions below for the different versions. The patches can be found in the support portal.
HAG 5.13.5
The needed file can be accessed here: https://support-old.nexusgroup.com/Release/?sub=/Denial%20of%20service%20fix%20-%20DA-798&cat=Nexus%20Smart%20ID%20Digital%20Access%20(HAG)
- Move the provided file access-point to the virtual appliance. (5.13.5/access-point)
- SSH into the machine.
- Exit from the bash menu and elevate the prompt (use, for example,
sudo su - ) - Go to /opt/nexus/access-point/bin.
Stop the access point:
/etc/init.d/access-point stop
- Copy the current file access-point and save it in a different location.
- Remove the file access-point.
- Copy the provided file access-point to the folder /opt/nexus/access-point/bin.
Set the correct permissions:
chown pwuser:pwuser /opt/nexus/access-point/bin/access-point
- Start the access point:
/etc/init.d/access-point start
- Make sure that everything works and also verify system logs to check for any anomalies.
Digital Access 6.0.2, 6.0.3, 6.0.4
The needed files can be accessed here under the respective version: https://support-old.nexusgroup.com/Release/?sub=/Denial%20of%20service%20fix%20-%20DA-798&cat=Nexus%20Smart%20ID%20Digital%20Access%20(HAG)
- Move the provided file DA-798-6.0.2.tar to the virtual appliance.
- SSH into the machine.
- Exit from the bash menu and elevate the prompt (use, for example,
sudo su - ) Stop the access point:
docker exec orchestrator hagcli -s access-point -o stop
Saving the existing access point image as backup:
Check the image name by doing 'sudo docker ps'. The image name will either contain repo names 'crcommondevelopment92007.azurecr.io' OR 'repo.nexusgroup.com' Replace the repo_path accordingly below.
docker save <repo_path>/smartid-digitalaccess/access-point:6.0.2.26514 -o /home/agadmin/access-point-6.0.2-original.tar
Remove the above image:
docker image rm -f <repo_path>/smartid-digitalaccess/access-point:6.0.2.26514
Load the new image (assuming it is in /home/agadmin):
docker load -i /home/agadmin/DA-798-6.0.2.tar
// Run the below commands only if the previous image repo_path was repo.nexusgroup.com
docker image tag crcommondevelopment92007.azurecr.io/smartid-digitalaccess/access-point:6.0.2.26514 repo.nexusgroup.com/smartid-digitalaccess/access-point:6.0.2.26514
docker image rm -f crcommondevelopment92007.azurecr.io/smartid-digitalaccess/access-point:6.0.2.26514
Verify that it worked:
docker image ls | grep access
This should produce a return output similar to this:
Start the new access point:
docker exec orchestrator hagcli -s access-point -o start
Verify that the access point starts:
Digital Access 6.0.5, 6.0.6, 6.0.7, 6.1.0, 6.1.1 and 6.1.2
This instruction describes how to resolve a denial of service vulnerability in Digital Access 6.0.5 and above.
- SSH into the machine
Make sure you have an active internet connection. If not then download the access point image from the nexusimages repo manually.
Manually change the image tag for the access point image in /opt/nexus/docker-compose/versiontag.yml as per below table based on version OR upgrade to version 6.1.3 that includes the fix.
| Versions | Tags |
|---|
| 6.0.5 | 6.0.5.100852 |
| 6.0.6 | 6.0.6.100856 |
| 6.0.7 | 6.0.7.100712 |
| 6.1.0 | 6.1.0.100858 |
| 6.1.1 | 6.1.1.100860 |
| 6.1.2 | 6.1.2.100866 |
Restart the services so that all instances of the access points are updated:
docker stack rm da //where da is the deployment stack name
bash /opt/nexus/scripts/start-all.sh // to start the services
Verify the access point version running:
