OpenVPN Security Advisories
Important security notice regarding ‘Heartbleed’ vulnerability
On Monday evening, April 7th, we were informed of a major vulnerability, dubbed 'Heartbleed' (CVE-2014-0160), within one of the Internet's most significant security libraries (OpenSSL). A great number of services across the internet, including OpenVPN Access Server, may have been affected by this issue. Since learning of this issue, we have taken immediate necessary steps to ensure the security of OpenVPN and the OpenVPN Access Server product. On the morning of April 8th we have therefore released patches for specific versions of the Access Server that are affected, and we have released Access Server 2.0.6 with the fix for this issue already incorporated.
The affected versions of Access Server are 1.8.4, 1.8.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, and 2.0.5. If you have a version older or newer than the aforementioned versions, you are not vulnerable to the Heartbleed vulnerability, but of course we always recommend to keep your system up-to-date. If you are running one of the mentioned versions, we recommend that you upgrade to the latest version available from our website. Please be sure to note that you do need a valid (and not expired) license key in order to upgrade. For those that cannot or will not update to the latest version, we offer the patched library files that will fix the vulnerability.
As always, the OpenVPN Access Server packages, which can be installed on physical, virtual, cloud, and appliance machines, can be downloaded from the following address, after which you can perform an upgrade installation that retains your settings and brings your system up-to-date:
The library patch files for those that cannot or will not update are here:
The attack vector that is present on the Access Server with the vulnerable OpenSSL libraries is not present on the Connect Clients, so the risk is minimal. Only the server that your client connects to could possibly exploit this vulnerability, and even then it is unlikely because we use Perfect Forward Security and TLS-auth on top of the SSL connection. The security of the data channel itself is not particularly at risk, only the web services on the server themselves are. And even then, since we use a privilege separation model, the web services run in a completely different process than the OpenVPN daemons handling the data connections, and therefore the private keys for your OpenVPN connections are not likely to be at any risk. Even so, we don't want to take chances and are going to release 2.0.7 soon, which will incorporate updated clients as well. And for those that want to have the updated clients right now, you can download them from the following address:
Note that mobile clients like on iPad, iPhone and Android devices, are not affected as they use PolarSSL instead.
OpenVPN Access Server "Desktop Client" security advisory
All Access Server customers using the "Desktop Client" app for Windows should upgrade immediately to the OpenVPN Connect client. The "Desktop Client" is obsolete and is no longer maintained or available for download. This client contains a CSRF (Cross Site Request Forgery) vulnerability that can allow remote code execution by a malicious web site (Credit: Stefan Viehböck, SEC Consult). It is also bundled with an older version of OpenSSL that has not received recent OpenSSL security updates. This advisory only applies to the OpenVPN Access Server "Desktop Client" app for Windows, and does not affect OpenVPN Connect, Private Tunnel, or community builds of OpenVPN for Windows.