Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Vulnerability CVE-7521

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    22 Posts 10 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • beremonavabiB Offline
      beremonavabi
      last edited by

      From those instructions, I chose option #2:

      If a firewall currently has the OpenVPN Client Export package installed:

      Update the package to version 1.4.12 or later from System > Package Manager on the Installed Packages tab, which will also update openvpn in the base system.
      Manually restart each instance of OpenVPN from Status > Services or reboot the firewall.

      All looks good.  Running "pkg info -x openvpn" from Diagnostics > Command Prompt gives me:

      openvpn-client-export-2.4.3_3
openvpn23-2.3.17
pfSense-pkg-openvpn-client-export-1.4.12

      The one thing I'm unclear about is the third paragraph in the article:

      Users of the OpenVPN Client Export package should also update that package on pfSense installations (See item #2 below), and update all client devices with the latest version of OpenVPN. The latest version of the OpenVPN Client Export Package (1.4.9 or later) contains Windows installers for OpenVPN 2.4.3 and 2.3.17. Re-running an exported installer will not update the client; OpenVPN must be removed from the client first before installing a new exported client. Alternately, manually download and install the latest client directly from OpenVPN (that's https://openvpn.net/index.php/open-source/downloads.html).

      I'm assuming by "update all client devices with the latest version of OpenVPN," that means (in my case) the OpenVPN for Android app I installed on my Android phones.  Since the phones automatically updated that and the "What's New" for the app says it fixed CVE-2017-7508, CVE-2017-7520, CVE-2017-7521, and CVE-2017-7522, I again assume I don't have to do anything with the phone app.  But, do I have to re-export the profiles from pfSense (I originally exported the Inline Configurations for Android and pointed OpenVPN for Android on the phones at them)?

      SG-4860, pfSense 2.4.5-RELEASE-p1 (amd64)

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        @beremonavabi:

        I'm assuming by "update all client devices with the latest version of OpenVPN," that means (in my case) the OpenVPN for Android app I installed on my Android phones.  Since the phones automatically updated that and the "What's New" for the app says it fixed CVE-2017-7508, CVE-2017-7520, CVE-2017-7521, and CVE-2017-7522, I again assume I don't have to do anything with the phone app.

        Correct.

        @beremonavabi:

        But, do I have to re-export the profiles from pfSense (I originally exported the Inline Configurations for Android and pointed OpenVPN for Android on the phones at them)?

        No, the settings are the same it's the client itself that needed an update. Only Windows users who wanted to install the latest version using the export package needed to export anything again.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.