On Monday evening, April 7th of 2014, we were informed of a major vulnerability, dubbed 'Heartbleed' (CVE-2014-0160), within one of the Internet's most significant security libraries (OpenSSL). A great number of services across the internet, including OpenVPN Access Server, were affected by this issue. Since learning of this issue, we have taken immediate necessary steps to ensure the security of OpenVPN and the OpenVPN Access Server product. On the morning of April 8th we have therefore released patches for specific versions of the Access Server that are affected, and we have released Access Server 2.0.6 with the fix for this issue already incorporated, and any future releases will of course be protected from this vulnerability.
The affected versions of Access Server are 1.8.4, 1.8.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, and 2.0.5. If you have a version older or newer than the aforementioned versions, you are not vulnerable to the Heartbleed vulnerability, but of course we always recommend to keep your system up-to-date. If you are running one of the mentioned versions, or for that matter run an older version of OpenVPN Access Server, we recommend that you upgrade to the latest version available from our website. Please be sure to note that you do need a valid (and not expired) license key in order to upgrade and maintain your license.
As always, the OpenVPN Access Server packages, which can be installed on dedicated, virtual, and cloud systems, can be downloaded from the following address, after which you can perform an upgrade installation that retains your settings and brings your system up-to-date:
The attack vector that is present on the Access Server with the vulnerable OpenSSL libraries is not present on the Connect Clients. Only the server that your client connects to could possibly exploit this vulnerability, and even then it is unlikely because we use Perfect Forward Security and TLS-auth on top of the SSL connection. The security of the data channel itself is not particularly at risk, only the web services on the server themselves are. And even then, since we use a privilege separation model, the web services run in a completely different process than the OpenVPN daemons handling the data connections, and therefore the private keys for your OpenVPN connections are not likely to be at any risk. Even so, we don't want to take chances and are going to release 2.0.7 soon, which will incorporate updated clients as well.
Note that mobile clients like on iPad, iPhone and Android devices, are not affected as they use PolarSSL instead.