This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to download SSL VPN client 2.3.18 or higher

I've been using UTM 9, SSL VPN client on Windows 10, version 2.1 for years.

Now, my employer's security scanners says that is "out of date" and removed it.

They say I have to use version 2.3.18 or greater.  Problem is, I can't find that.  I reinstalled SSL VPN client from the portal and again got version 2.1, which is blocked by security.

 

What is the current version?  How do I download the latest version?  The 2.1 version contains an OpenVPN build that reportedly has vulnerabilities.

Thanks!



This thread was automatically locked due to age.
Parents
  • FYI, I downloaded OpenVPN 2.3.18 and got reconnected that way.

    However, when I tried OpenVPN 2.4 (the latest), it said my Sophos ovpn configuration was invalid.

  • All of the UTM modules are "hardened" instead of being updated to the latest release as this is easier than vetting new releases.  I would be surprised if the Sophos SSL VPN Client exhibited the behavior they wanted to prevent.  Did they state their reason for wanting to block V2.1?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • If anyone is worried about this, please open a case with Sophos Support and ask if CVE-2017-12166 and earlier vulnerabilities have been fixed in the current client.  Also, ask what the 'Product version' should be on the 'Details' tab of 'openvpn Properties'. 

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I am getting the same problem, our Nessus scans are flagging the version of OpenVPN as bad, it doesn't matter if the actual issue has been resolved by Sophos, it will still get flagged as a High Risk issue as the version of OpenVPN has been identified as having the issue. 

    Nessus reports: According to its self-reported version number, the version of OpenVPN installed on the remote host is affected by an error related to a weakness in the 'key-method 1' implementation which could allow buffer overflow attacks and result in unexpected code execution

    Remediation: Upgrade to OpenVPN 2.3.18 / 2.4.4 or later.

    Any chance of a fix for this anytime soon?

    Thanks, 

    Mike 

  • Do you have a CVE? 

    With this CVE, you can report this to the sophos support. But tbh, i do not think, the sophos client is affected by this. I am not familiar with Nessus, but does this tool actual perform a attack or it just assume, the version is still affected? 

    __________________________________________________________________________________________________________________

  • It does not perform an attack, it just looks at version numbers of all software installed as well as a bunch of other things.  Thanks for the tip on the CVE. 

  • We use nessus too.

     

    It's not the sophos client that's vulnerable, it's the openvpn software underneath the client.  I mitigated it by manually installing the latest OpenVPN client and using that directly.

  • In case anyone is interested here is the CVE from NIST. nvd.nist.gov/.../CVE-2017-12166

  • Thanks, I may do that but I am not looking forward to having to deploy that unless I have to.  Every PC user uses this software for remote connections.

  • All of these scanners are duller than butter knives, Mike.  If you're running your own scans, you can certainly get a statement from Sophos Support that this vulnerability has been eliminated.  If you're using a provider that scans with Nessus, that should also satisfy them for now.  After that,  I suggest that you change providers to get one that knows how to manage and keep track of exceptions as most don't.

    Sophos would be foolish to make changes based on this message from Nessus.  The developers can deliver a more-secure tool by patching the modules they know instead of vetting and hardening newer versions all of the time.

    In any case, if you're in the same situation as Remouflon (no exceptions allowed by an OpenVPN service to which you want to connect), I don't see how you can avoid doing the upgrades.  Even if Sophos changed the client to a new version, you would have to distribute that, too.

    Good luck!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I'm sorry Bob but in this case I'm not with you. It might as well be that all underlying vulnerabilities are effectively being handled by Sophos UTM, but OpenVPN 2.1 was in development from October 2005 until November 2010. So the very last version (2.1.4) is almost 8 years old now. 

    As a security company that always preaches to keep software up-to-date this is not practicing what your preach.....


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • We'll have to agree to disagree, Arno.  They are keeping patches up-to-date and the client does what it needs to do with the UTM.  They don't advertise that it's a client for OpenVPN.  If folks are going to use other OpenVPN servers, they'll need to decide whether they trust the latest OpenVPN client to be used with UTM SSL VPN remote access or if they want to have both the SSL VPN client and the OpenVPN client.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • We'll have to agree to disagree, Arno.  They are keeping patches up-to-date and the client does what it needs to do with the UTM.  They don't advertise that it's a client for OpenVPN.  If folks are going to use other OpenVPN servers, they'll need to decide whether they trust the latest OpenVPN client to be used with UTM SSL VPN remote access or if they want to have both the SSL VPN client and the OpenVPN client.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data