This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to download SSL VPN client 2.3.18 or higher

I've been using UTM 9, SSL VPN client on Windows 10, version 2.1 for years.

Now, my employer's security scanners says that is "out of date" and removed it.

They say I have to use version 2.3.18 or greater.  Problem is, I can't find that.  I reinstalled SSL VPN client from the portal and again got version 2.1, which is blocked by security.

 

What is the current version?  How do I download the latest version?  The 2.1 version contains an OpenVPN build that reportedly has vulnerabilities.

Thanks!



This thread was automatically locked due to age.
Parents
  • FYI, I downloaded OpenVPN 2.3.18 and got reconnected that way.

    However, when I tried OpenVPN 2.4 (the latest), it said my Sophos ovpn configuration was invalid.

  • All of the UTM modules are "hardened" instead of being updated to the latest release as this is easier than vetting new releases.  I would be surprised if the Sophos SSL VPN Client exhibited the behavior they wanted to prevent.  Did they state their reason for wanting to block V2.1?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • The vulnerability is in the OpenVPN software.  And no, they don't specifically say what it is, and it is not possible to contact them or ask.  It is also not possible to get a waiver or exception.

    But they do say the minimum acceptable client is 2.3.18.

  • If anyone is worried about this, please open a case with Sophos Support and ask if CVE-2017-12166 and earlier vulnerabilities have been fixed in the current client.  Also, ask what the 'Product version' should be on the 'Details' tab of 'openvpn Properties'. 

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I am getting the same problem, our Nessus scans are flagging the version of OpenVPN as bad, it doesn't matter if the actual issue has been resolved by Sophos, it will still get flagged as a High Risk issue as the version of OpenVPN has been identified as having the issue. 

    Nessus reports: According to its self-reported version number, the version of OpenVPN installed on the remote host is affected by an error related to a weakness in the 'key-method 1' implementation which could allow buffer overflow attacks and result in unexpected code execution

    Remediation: Upgrade to OpenVPN 2.3.18 / 2.4.4 or later.

    Any chance of a fix for this anytime soon?

    Thanks, 

    Mike 

  • Do you have a CVE? 

    With this CVE, you can report this to the sophos support. But tbh, i do not think, the sophos client is affected by this. I am not familiar with Nessus, but does this tool actual perform a attack or it just assume, the version is still affected? 

    __________________________________________________________________________________________________________________

  • It does not perform an attack, it just looks at version numbers of all software installed as well as a bunch of other things.  Thanks for the tip on the CVE. 

  • We use nessus too.

     

    It's not the sophos client that's vulnerable, it's the openvpn software underneath the client.  I mitigated it by manually installing the latest OpenVPN client and using that directly.

  • In case anyone is interested here is the CVE from NIST. nvd.nist.gov/.../CVE-2017-12166

Reply Children
No Data