Description
The OpenVPN Desktop Client is not receiving maintenance anymore, and has been deprecated for a while. All OpenVPN Access Server customers still using the OpenVPN Desktop Client for Windows should upgrade immediately to the OpenVPN Connect Client that comes bundled with our latest OpenVPN Access Server product. The OpenVPN Desktop Client is obsolete and is no longer maintained or available for download. This client contains a CSRF (Cross Site Request Forgery) vulnerability that can allow remote code execution by a malicious web site, as Stefan Viehböck, SEC Consult, has discovered. The OpenVPN Desktop Client also contains an older version of OpenSSL that has not received recent OpenSSL security updates. This advisory only applies to the OpenVPN Desktop Client app for Windows, and does not affect OpenVPN Connect Client, Private Tunnel, or OpenVPN open source builds for Windows.
Resolution
We still see some users with this program actively in use. We strongly advise these users to switch to the newer client program titled OpenVPN Connect Client or an up-to-date OpenVPN open source alternative. We advise that you always try to use the latest version of the server and client software where possible.