Diva Distro seals vulnerability, grids need to update

A typical WiFi screen, part of the Diva Distro, is the web-based front end for the Diva Distro version of OpenSim.

OpenSim customers that use Diva Distro version of OpenSim or its Diva Wifi website interface screen, as in the image above, should install the latest security patch to the software to seal a vulnerability that could render their grids susceptible to crashing.

Crista Lopes

The Diva Distro software is almost as old as OpenSim itself. It was first released in 2009 primarily out of the desire to make  it easy to use OpenSim for education and not to provide a production-ready web-interface for public grids. The Wifi feature was added in 2010 by OpenSim core developer and hypergrid inventor Crista Lopes, also known as “Diva Canto.” Lopes is a professor of informatics at University of California, Irvine. You can follow her on Twitter at @divacanto.

By default, the Diva Distro creates a four-region OpenSim minigrid. Despite being not production-ready web-interface for public grids, it used to be the most popular way to create quick home-based OpenSim grids before the DreamGrid distribution was released. Nevertheless, development of DivaWifi still continues to make it more suitable for securely creating and running public grids.

Vincent Sylvester

The new security patch removes an attack vector in the web server created by recursive code paths, which had the potential to cause a crash, said Zetamex Network CEO Vincent Sylvester, who wrote and tested the patch.

Those running Wifi need to compile or receive new binaries to patch their systems as this is just a merge of the codebase without a direct binary release,” he told Hypergrid Business. “The vast majority do not compile Wifi themselves or maintain a development copy of OpenSim so it will take a while for this change to make it onto grids out there.”

People running Diva Wifi can also set up a service for the Robust instance running Wifi, to make sure it is restarted if at all it crashes. This can be done both on Linux and Windows with some knowledge on how to set up the service right, he said.

“On Linux, systemctl offers fairly simple setups for creating custom services, with the biggest trouble getting it to recognize the specific Robust instance,” said Sylvester. “On Windows, it is a bit more complicated in setup, but works via internal pointers so it generally keeps good track of the process itself.”

The Diva Distro software is a lightweight, easy and quick-to-use way to create small home-based OpenSim grids, and its Wifi interface is an easy alternative to having a full grid website. Some bigger grids use the Wifi interface as part of a bigger site, however, to provide stats and handle user registration.

Josh Boam

‘The exploit has been used over the past few months to attack many grids,” said AviWorlds CEO Josh Boam, who first reported the problem to Hypergrid Business. The exploit can cause a grid to crash and requires the grid owners to restart it. However, it doesn’t do anything else more damaging, such as expose user data or provide access to internal systems. Still, it can cause unnecessary downtime.

Most larger grids either use their own code, or are already patched against the problem.

Ilan Tochner

Kitely does not use Diva Wifi, for instance, but has its own grid management, said Kitely CEO Ilan Tochner.

“The Kitely system includes hundreds of thousands of lines of our own code in addition to multiple third-party systems that we’ve integrated,” he told Hypergrid Business. “We’ve done a lot of work to protect our system as should anyone else who runs servers that are connected to the internet. We also have written plans for how to respond to various catastrophe scenarios so we won’t have to figure it out as we go if something were to happen to our system.”
The DreamGrid version of OpenSim, another very popular distribution with an even easier setup, uses an interface built on top of Diva Wifi, but is not vulnerable to the issue.
Fred Beckhusen

“DreamGrids were fixed a year ago,” Fred Beckhusen, CEO at Micro Technology Services Inc., which runs both DreamGrid and OutWorldz, told Hypergrid Business. “It’s a non-issue to us.”

Beckhusen also submitted his fix to the Diva Distro project a year ago.