Access Server

Follow us

Heartbleed vulnerability on Access Server 1.8.4 –> 2.0.5



The 'Heartbleed' vulnerability is one that affects all software that utilizes the OpenSSL libraries. OpenVPN Access Server also uses these libraries, as do many other programs around the world. OpenSSL libraries are bundled with Access Server so please note that updating your operating system's OpenSSL version alone will not affect the bundled OpenSSL package that comes with Access Server. Versions 1.8.4 all the way through to 2.0.5 were affected by this particular issue. Information about what Heartbleed can do can be found readily anywhere on the internet (CVE-2014-0160) but the gist of it is that information like private keys could be stolen off your server. Again, please note that this is not an OpenVPN-specific issue, but affects ALL software world-wide that is using OpenSSL. Regarding the integrity of data travelling through the OpenVPN tunnels themselves we can report that because we use TLS-auth on these tunnels the attack on these tunnels themselves could not take place. This vulnerability focuses around the web services component of the Access Server.

We recommend that you upgrade to version 2.0.6 (or newer) of the Access Server. Version 2.0.6 was the first version to incorporate the new fix. Note that CentOS 5 and RedHat 5 will need a newer kernel in order to load version 2.0.3 or higher of the Access Server, so keep this in mind. For other systems that are supported you can head on over to http://openvpn.net/index.php/access-server/download-openvpn-as-sw.html to find the latest package for your operating system.

Download the package file to your system and install it over the existing one.
For CentOS and RedHat based systems you can run this command: rpm -Uvh packagefilename.rpm
For Debian and Ubuntu based systems you can run this command: dpkg -i packagefilename.deb

If for some reason you don't want to or cannot upgrade, we also have the libraries affected available for separate download. These binaries are the library files that are affected by this vulnerability, and can be used on the affected versions of Access Server ONLY. So these are meant ONLY for versions 1.8.4 all the way through to version 2.0.5. Please do not use them on any other version! Read on to learn how to apply the binary files.

First stop your Access Server with this command:
/etc/init.d/openvpnas stop
(note; for newer OSes sometimes you need to use service openvpnas stop)

Go to your /usr/local/openvpn_as/lib/ folder and you will find in that folder several files. The affected files are there, and we suggest that you back them up by renaming them. So run these commands:
mv libssl.so.1.0.0 libssl.so.1.0.0.backup
mv libcrypto.so.1.0.0 libcrypto.so.1.0.0.backup

Now download the new files from our download server to your system. You can find the files here:
http://swupdate.openvpn.org/hb/

Look up the operating system and distribution version of your operating system. Then select whether you have 64 bits or 32 bits OS, and download those 2 files to the /usr/local/openvpn_as/lib/ folder. In this sample I will assume Debian 7, x64, and I will download these files (adjust to match your OS and architecture):
wget http://swupdate.openvpn.org/hb/Debian/7/amd64/libcrypto.so.1.0.0
wget http://swupdate.openvpn.org/hb/Debian/7/amd64/libssl.so.1.0.0

Now you should be able to start the Access Server again, and the problem should be resolved. Run this command to start the Access Server service:
/etc/init.d/openvpnas start
(or on some newer systems: service openvpnas start)