Urgent security fix for grid owners

(Image courtesy Davide Restivo  via Flickr.)

(Image courtesy Davide Restivo via Flickr.)

This week, OpenSimulator released a security fix to protect content on public grids.

All public grids should either install the fix, or configure an HTTP proxy to protect important ports, said OpenSim core developer Justin Clark-Casey in the announcement.

But the danger goes beyond protecting the data on grid servers, if the server is actually a home computer on a home network.

“This fix is for all grids, but it most affects people who run their grids at home,” said Avination grid founder and OpenSim core developer Melanie Thielker. “They can scan your home, see how many TVs you have, possibly disable your home alarm. It really is that dangerous. Upgrade, and upgrade now.”

“Everyone needs to install it,” Zetamex CEO Timothy Rogers told Hypergrid Business. “It is a CRITICAL security update.”

Dierk Brunner

Dierk Brunner

Without the fix, malicious visitors to a grid can use the llHTTPRequest and osSetDynamicTextureURL commands to delete assets and inventory items, Dreamland Metaverse CEO Dierk Brunner told Hypergrid Business.

Private OpenSim grids can protect their ports with a firewall, he said. But that’s not the case for open grids.

“OpenSim grids that allow other people to connect regions hosted elsewhere need have these ports opened up to the Internet,” said Brunner, who is also an OpenSim core developer.

According to Brunner, this security hole has been in place since 2007 but, so far, there have been no known instances of anyone actually hacking into a grid’s assets this way.

“It requires quite some in-depth knowledge of OpenSim to be able to do such an attack,” he said.

But that doesn’t mean that grid should put off patching.

“I recommend every grid owner to upgrade their OpenSim grid to an OpenSim version that contains this new security fix as soon as possible,” he said.

The fix has already been added to the latest experimental OpenSim release, 0.8.1-rc2, the current recommended release 0.8.0.4, and to the previous release 0.7.6.3.

Earlier releases than that did not get the patch.

Justin Clark-Casey

Justin Clark-Casey

“All releases prior to 0.7.6 should be considered unsafe,” said Clark-Casey. Unless a grid trusts every single one of its users not to abuse the security hole, they should either update or set up an HTTP proxy.

The HTTP proxy feature was added in 2011, and is part of the [Startup] section in the OpenSim.ini configuration file, and redirects potentially dangerous traffic away from grid assets.

“Ideally, one might go back and update much older releases but resources are scarce and 0.7.5 is now more than two years old,” Clark-Casey added.

The new fix prohibits the use of the llHTTPRequest and osSetDynamicTextureURL commands to access grid services on all regions.

Plus, if a grid has regions that it does not control — such as home-based regions attached by residents who might be using unpatched versions of the code — then the grid’s servers will ignore these types of access attempts.

Related Posts

maria@hypergridbusiness.com'

Maria Korolov

Maria Korolov is editor and publisher of Hypergrid Business. She has been a journalist for more than twenty years and has worked for the Chicago Tribune, Reuters, and Computerworld and has reported from over a dozen countries, including Russia and China.

  • Zauber Paracelsus

    Not the first time the dynamic texture functions have had an exploit. I recall a few years ago, Justin fixed a bug where one of the functions could be used to arbitrarily delete any asset on whichever grid you ran the commands from.

  • Cinder Biscuits

    “Private OpenSim grids can protect their ports with a firewall, he said. But that’s not the case for open grids.”

    Private grids are also affected by this! Don’t believe that this is a security issue only for open grids. If you have not been proxying your lsl http traffic, a malicious script can simply communicate with ROBUST using the same methods the region itself does, and ROBUST doesn’t know the difference because both commands are coming from the region.

  • I find this just incredible. For a hacker to disable our burglar alarm needs that there is code installed to do so. Why is this code here in the first place? Why in 2007 they did not though that a code allowing to freely enter in a system would be used for malicious purposes? Why we waited 8 years for revealing it?

    Is Simonastic also concerned? (Simonastic is for installation on our home computer. It uses the Diva Distro version of Open Sims, And it can be configured for visitors to enter from the Internet, if we give them the IP number of our machine. Is there also code installed for taking control of our toaster?)

  • Susannah Avonside

    I’m so glad that I don’t have any TVs capable of being connected to the interet, and who needs a security system when they have good old fashioned deadlocks? (Plus, any burgular would very disappointed should they manage to breach my physical security methods – most of my stuff is analogue, big and tends to be heavy) Even my toaster is safe – it’s 27 years old and was made in East Germany, so is not only hack proof, but also probably immune from nuclear attack! Seriously though, this is a potential exploit that has been around since OpenSim began, and it seems unlikely that it has been exploited by anyone – until now, of course, everyone now knows about it, because we’re all being told to install a patch to a potential security threat that previously hardly anyone knew about! However, as always it seems wise to update to the latest stable version of any software, and amazingly there are still some grids around that are using, not 7.5, but 7.3 as I recently discovered on one of my HG travels! Getting the 4096 bug error warning was quite a shock to the system!!

  • Justin Clark-Casey

    When I said “All releases prior to 0.7.6 should be considered unsafe.” this should have been “All releases prior to 0.7.6.3 should be considered unsafe”.

    Whether you need to update depends on how much you trust the people who can run scripts on your grid (which includes script in attachments) and whether you have set up a secure HTTP proxy for processing outgoing HTTP. So if you can’t update for some reason and untrusted parties can run scripts then you should set up an HTTP proxy.

    This applies to all grids where untrusted users can run scripts, not just open ones.

    If you are running a server open to the Internet then it is your responsibility to check for updates by following the OpenSimulator mailing list and apply them where necessary.