Sophos Connect (OpenVPN) Security Statement

Question

Sophos Connect still uses the very old OpenVPN version 2.5.6.0 and there have been some security annoucements since that version: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements 
 e.g. the last CVE-2024-27459: Windows: fix a possible stack overflow in the interactive service component which might lead to a local privilege escalation 
 Here I would like to hear a statement on how far we are affected with the old OpenVPN version included in Sophos Connect and when an update is finally planned here. In general, Sophos Connect really needs an update where the known bugs that are mentioned here in the forum or on the KIL are addressed, they are really a pain.

Vishal_R · Accepted Answer

Hi LuNie Sophos Connect 2.3 is released now which covers fix for NCL-1834. community.sophos.com/.../sophos-connect-2-3-update-released

Vishal_R · Answer

Hi LuNie Thanks for the update for the community members.

For community reference: The below CVEs will be fixed under ID NCL-1834 with the Sophos Connect 2.3 release.

CVE-2024-27459
CVE-2024-24974
CVE-2024-27903
CVE-2024-1305

Sophos Connect (OpenVPN) Security Statement

Top Replies