Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Subscribers 6 subscribers
  • Views 39009 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to download SSL VPN client 2.3.18 or higher

Remuflon

I've been using UTM 9, SSL VPN client on Windows 10, version 2.1 for years.

Now, my employer's security scanners says that is "out of date" and removed it.

They say I have to use version 2.3.18 or greater.  Problem is, I can't find that.  I reinstalled SSL VPN client from the portal and again got version 2.1, which is blocked by security.

 

What is the current version?  How do I download the latest version?  The 2.1 version contains an OpenVPN build that reportedly has vulnerabilities.

Thanks!



This thread was automatically locked due to age.
  • 0

    FYI, I downloaded OpenVPN 2.3.18 and got reconnected that way.

    However, when I tried OpenVPN 2.4 (the latest), it said my Sophos ovpn configuration was invalid.

  • 0 in reply to Remuflon

    All of the UTM modules are "hardened" instead of being updated to the latest release as this is easier than vetting new releases.  I would be surprised if the Sophos SSL VPN Client exhibited the behavior they wanted to prevent.  Did they state their reason for wanting to block V2.1?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    The vulnerability is in the OpenVPN software.  And no, they don't specifically say what it is, and it is not possible to contact them or ask.  It is also not possible to get a waiver or exception.

    But they do say the minimum acceptable client is 2.3.18.

  • 0 in reply to Remuflon

    If anyone is worried about this, please open a case with Sophos Support and ask if CVE-2017-12166 and earlier vulnerabilities have been fixed in the current client.  Also, ask what the 'Product version' should be on the 'Details' tab of 'openvpn Properties'. 

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I am getting the same problem, our Nessus scans are flagging the version of OpenVPN as bad, it doesn't matter if the actual issue has been resolved by Sophos, it will still get flagged as a High Risk issue as the version of OpenVPN has been identified as having the issue. 

    Nessus reports: According to its self-reported version number, the version of OpenVPN installed on the remote host is affected by an error related to a weakness in the 'key-method 1' implementation which could allow buffer overflow attacks and result in unexpected code execution

    Remediation: Upgrade to OpenVPN 2.3.18 / 2.4.4 or later.

    Any chance of a fix for this anytime soon?

    Thanks, 

    Mike 

  • 0 in reply to Mike Hyers

    Do you have a CVE? 

    With this CVE, you can report this to the sophos support. But tbh, i do not think, the sophos client is affected by this. I am not familiar with Nessus, but does this tool actual perform a attack or it just assume, the version is still affected? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    It does not perform an attack, it just looks at version numbers of all software installed as well as a bunch of other things.  Thanks for the tip on the CVE. 

  • 0 in reply to Mike Hyers

    We use nessus too.

     

    It's not the sophos client that's vulnerable, it's the openvpn software underneath the client.  I mitigated it by manually installing the latest OpenVPN client and using that directly.

  • 0 in reply to LuCar Toni

    In case anyone is interested here is the CVE from NIST. nvd.nist.gov/.../CVE-2017-12166

  • 0 in reply to Remuflon

    Thanks, I may do that but I am not looking forward to having to deploy that unless I have to.  Every PC user uses this software for remote connections.

Unfiltered HTML