Urgent security fix for grid owners

(Image courtesy Davide Restivo  via Flickr.)
(Image courtesy Davide Restivo via Flickr.)

This week, OpenSimulator released a security fix to protect content on public grids.

All public grids should either install the fix, or configure an HTTP proxy to protect important ports, said OpenSim core developer Justin Clark-Casey in the announcement.

But the danger goes beyond protecting the data on grid servers, if the server is actually a home computer on a home network.

“This fix is for all grids, but it most affects people who run their grids at home,” said Avination grid founder and OpenSim core developer Melanie Thielker. “They can scan your home, see how many TVs you have, possibly disable your home alarm. It really is that dangerous. Upgrade, and upgrade now.”

“Everyone needs to install it,” Zetamex CEO Timothy Rogers told Hypergrid Business. “It is a CRITICAL security update.”

Dierk Brunner
Dierk Brunner

Without the fix, malicious visitors to a grid can use the llHTTPRequest and osSetDynamicTextureURL commands to delete assets and inventory items, Dreamland Metaverse CEO Dierk Brunner told Hypergrid Business.

Private OpenSim grids can protect their ports with a firewall, he said. But that’s not the case for open grids.

“OpenSim grids that allow other people to connect regions hosted elsewhere need have these ports opened up to the Internet,” said Brunner, who is also an OpenSim core developer.

According to Brunner, this security hole has been in place since 2007 but, so far, there have been no known instances of anyone actually hacking into a grid’s assets this way.

“It requires quite some in-depth knowledge of OpenSim to be able to do such an attack,” he said.

But that doesn’t mean that grid should put off patching.

“I recommend every grid owner to upgrade their OpenSim grid to an OpenSim version that contains this new security fix as soon as possible,” he said.

The fix has already been added to the latest experimental OpenSim release, 0.8.1-rc2, the current recommended release, and to the previous release

Earlier releases than that did not get the patch.

Justin Clark-Casey
Justin Clark-Casey

“All releases prior to 0.7.6 should be considered unsafe,” said Clark-Casey. Unless a grid trusts every single one of its users not to abuse the security hole, they should either update or set up an HTTP proxy.

The HTTP proxy feature was added in 2011, and is part of the [Startup] section in the OpenSim.ini configuration file, and redirects potentially dangerous traffic away from grid assets.

“Ideally, one might go back and update much older releases but resources are scarce and 0.7.5 is now more than two years old,” Clark-Casey added.

The new fix prohibits the use of the llHTTPRequest and osSetDynamicTextureURL commands to access grid services on all regions.

Plus, if a grid has regions that it does not control — such as home-based regions attached by residents who might be using unpatched versions of the code — then the grid’s servers will ignore these types of access attempts.

Maria Korolov