On April 7th of 2014 we were informed of the vulnerability dubbed Heartbleed (CVE-2014-0160), within one of the Internet's most significant security libraries (OpenSSL). A great number of services across the internet that use this library, including OpenVPN Access Server, may have been affected by this issue. Since learning of this issue, we have taken immediate necessary steps to ensure the security of OpenVPN and the OpenVPN Access Server product. Within 24 hours we have therefore released patches for specific versions of the Access Server that are affected, and we have released Access Server 2.0.6 with the fix for this issue already incorporated. If you are using an older version that contains the affected OpenSSL library you are advised to update immediately.
The affected versions of Access Server that contain the vulnerable OpenSSL library and are vulnerable to Heartbleed are:
- OpenVPN Access Server 1.8.4 and 1.8.5
- OpenVPN Access Server 2.0.0 / 2.0.1 / 2.0.2 / 2.0.3 / 2.0.4 and 2.0.5
The attack vector that is present on the Access Server with the vulnerable OpenSSL libraries is not present on the Connect Clients, so the risk on the client side is negligible. Only the server that your client connects to could possibly exploit this vulnerability, and even then it is unlikely because we use Perfect Forward Security and TLS-auth on top of the SSL connection which prevents this exploit from being successful. The security of the data channel itself is not particularly at risk, only the web services on the server themselves are. And even then, since we use a privilege separation model, the web services run in a completely different process than the OpenVPN daemons handling the data connections, and therefore the private keys for your OpenVPN connections are not likely to be at any risk. Even so, we did not take chances and have released a fix in OpenVPN Access Server 2.0.7 and newer versions, which incorporate updated clients as well. So update your clients as well.
If you have a version other than the aforementioned versions, you are not vulnerable to the Heartbleed vulnerability, but of course we always recommend to keep your system up-to-date. If you are running one of the mentioned versions, we recommend that you upgrade to the latest version available from our website immediately. Please be sure to note that you do need a valid (and not expired) license key in order to upgrade your OpenVPN Access Server maintain a licensed state of your server.
The OpenVPN Connect Client for Windows and macOS should also be updated, and you can do so by updating your OpenVPN Access Server first, and then downloading a new and updated copy of the OpenVPN Connect Client from your updated Access Server.
Note that mobile clients like on iPad, iPhone and Android devices, are not affected as they use PolarSSL instead, so no action needs to be taken there.