Important update for OpenVPN

OpenVPN was analyzed by Guido Vranken using a fuzzer, which uncovered several vulnerabilities. Some of these vulnerabilities have the potential to be remotely exploitable in certain circumstances. For the full details, read the security advisory issued by OpenVPN. These vulnerabilities have been assigned IDs CVE-2017-7508, CVE-2017-7520, CVE-2017-7521, and CVE-2017-7522.

We strongly recommend all users upgrade the OpenVPN package on pfSense software installations to OpenVPN 2.3.17 (pfSense 2.3.4, pfSense 2.3.5 snapshots) or OpenVPN 2.4.3 (pfSense 2.4 snapshots) as soon as possible.

Users of the OpenVPN Client Export package should also update that package on pfSense installations (See item #2 below), and update all client devices with the latest version of OpenVPN. The latest version of the OpenVPN Client Export Package (1.4.9 or later) contains Windows installers for OpenVPN 2.4.3 and 2.3.17. Re-running an exported installer will not update the client; OpenVPN must be removed from the client first before installing a new exported client. Alternately, manually download and install the latest client directly from OpenVPN. For clients on other operating systems, check with the client vendor for updates.

For users running pfSense software version 2.3.4-RELEASE, this update can be accomplished in one of three different ways. Choose and perform one of the following methods:

  1. Perform a manual update from a shell prompt (console or ssh option 8) using the following set of commands:

    pkg update; pkg upgrade -y openvpn23; /etc/rc.openvpn
    

    This command sequence will update the pkg database, then update OpenVPN to version 2.3.17, and then restart all instances of OpenVPN so they are running the latest version. A firewall reboot is optional, but may be used in place of the last command.

    NOTE: Do not run /etc/rc.openvpn from the GUI using Diagnostics > Command Prompt, that command must be run from a shell prompt. Alternately, manually restart each instance of OpenVPN from Status > Services or reboot the firewall.

  2. If a firewall currently has the OpenVPN Client Export package installed:

    • Update the package to version 1.4.12 or later from System > Package Manager on the Installed Packages tab, which will also update openvpn in the base system.
    • Manually restart each instance of OpenVPN from Status > Services or reboot the firewall.
  3. If a firewall does not have the OpenVPN Client Export package installed:

    • Install the OpenVPN Client Export package (version 1.4.12 or later) from System > Package Manager on the Available Packages tab
    • Click the “reinstall” button for the OpenVPN Client Export Package on System > Package Manager on the Installed Packages tab, which will trigger an update of openvpn in the base system.
    • Manually restart each instance of OpenVPN from Status > Services or reboot the firewall.

Users on versions prior to pfSense 2.3.4 should update to pfSense 2.3.4 and then apply the update as described above.

For users on pfSense 2.4 or pfSense 2.3.5 snapshots, update to the latest available snapshot to obtain an updated version of OpenVPN.

To check the current version of OpenVPN and its related packages, run the following command from a shell prompt or Diagnostics > Command:

pkg info -x openvpn

An errata release containing this and other updates for pfSense 2.3.4 users, 2.3.4-p1, is pending and will be released once the (unrelated) FreeBSD corrections for CVE-2017-1000364 are completed, merged, and tested.