How to download SSL VPN client 2.3.18 or higher

FYI, I downloaded OpenVPN 2.3.18 and got reconnected that way.

However, when I tried OpenVPN 2.4 (the latest), it said my Sophos ovpn configuration was invalid.

All of the UTM modules are "hardened" instead of being updated to the latest release as this is easier than vetting new releases.  I would be surprised if the Sophos SSL VPN Client exhibited the behavior they wanted to prevent.  Did they state their reason for wanting to block V2.1?

Cheers - Bob

The vulnerability is in the OpenVPN software.  And no, they don't specifically say what it is, and it is not possible to contact them or ask.  It is also not possible to get a waiver or exception.

But they do say the minimum acceptable client is 2.3.18.

The vulnerability is in the OpenVPN software.  And no, they don't specifically say what it is, and it is not possible to contact them or ask.  It is also not possible to get a waiver or exception.

But they do say the minimum acceptable client is 2.3.18.

If anyone is worried about this, please open a case with Sophos Support and ask if CVE-2017-12166 and earlier vulnerabilities have been fixed in the current client.  Also, ask what the 'Product version' should be on the 'Details' tab of 'openvpn Properties'. 

Cheers - Bob

I am getting the same problem, our Nessus scans are flagging the version of OpenVPN as bad, it doesn't matter if the actual issue has been resolved by Sophos, it will still get flagged as a High Risk issue as the version of OpenVPN has been identified as having the issue. 

Nessus reports: According to its self-reported version number, the version of OpenVPN installed on the remote host is affected by an error related to a weakness in the 'key-method 1' implementation which could allow buffer overflow attacks and result in unexpected code execution

Remediation: Upgrade to OpenVPN 2.3.18 / 2.4.4 or later.

Any chance of a fix for this anytime soon?

Thanks, 

Mike 

Do you have a CVE? 

With this CVE, you can report this to the sophos support. But tbh, i do not think, the sophos client is affected by this. I am not familiar with Nessus, but does this tool actual perform a attack or it just assume, the version is still affected? 

It does not perform an attack, it just looks at version numbers of all software installed as well as a bunch of other things.  Thanks for the tip on the CVE. 

We use nessus too.

It's not the sophos client that's vulnerable, it's the openvpn software underneath the client.  I mitigated it by manually installing the latest OpenVPN client and using that directly.

In case anyone is interested here is the CVE from NIST. nvd.nist.gov/.../CVE-2017-12166

Thanks, I may do that but I am not looking forward to having to deploy that unless I have to.  Every PC user uses this software for remote connections.

All of these scanners are duller than butter knives, Mike.  If you're running your own scans, you can certainly get a statement from Sophos Support that this vulnerability has been eliminated.  If you're using a provider that scans with Nessus, that should also satisfy them for now.  After that,  I suggest that you change providers to get one that knows how to manage and keep track of exceptions as most don't.

Sophos would be foolish to make changes based on this message from Nessus.  The developers can deliver a more-secure tool by patching the modules they know instead of vetting and hardening newer versions all of the time.

In any case, if you're in the same situation as Remouflon (no exceptions allowed by an OpenVPN service to which you want to connect), I don't see how you can avoid doing the upgrades.  Even if Sophos changed the client to a new version, you would have to distribute that, too.

Good luck!

Cheers - Bob

I'm sorry Bob but in this case I'm not with you. It might as well be that all underlying vulnerabilities are effectively being handled by Sophos UTM, but OpenVPN 2.1 was in development from October 2005 until November 2010. So the very last version (2.1.4) is almost 8 years old now. 

As a security company that always preaches to keep software up-to-date this is not practicing what your preach.....

We'll have to agree to disagree, Arno.  They are keeping patches up-to-date and the client does what it needs to do with the UTM.  They don't advertise that it's a client for OpenVPN.  If folks are going to use other OpenVPN servers, they'll need to decide whether they trust the latest OpenVPN client to be used with UTM SSL VPN remote access or if they want to have both the SSL VPN client and the OpenVPN client.

Cheers - Bob