OpenVPN Security Advisories 

   

July 1st, 2014 

OpenVPN Access Server "Desktop Client" security advisory

All Access Server customers using the "Desktop Client" app for Windows should upgrade immediately to the OpenVPN Connect client.  The "Desktop Client" is obsolete and is no longer maintained or available for download.  This client contains a CSRF (Cross Site Request Forgery) vulnerability that can allow remote code execution by a malicious web site (Credit: Stefan Viehböck, SEC Consult).  It is also bundled with an older version of OpenSSL that has not received recent OpenSSL security updates.  This advisory only applies to the OpenVPN Access Server "Desktop Client" app for Windows, and does not affect OpenVPN Connect, Private Tunnel, or community builds of OpenVPN for Windows.