7

I recently had to find a VPN client to connect to a preconfigured Cisco IPSec VPN. Of course there's Cisco's own client implementation AnyConnect, but I wanted to stick with a free alternative if possible. (Edit: I also just read that AnyConnect doesn't support IPSec in the first place.) Said and done I found a couple of applications, but it appears they're all rather old:

  • For Windows there's mostly the famous Shrewsoft client. Its most recent release 2.2.2 dates back to July 1st, 2013.
  • On Linux vpnc is probably the most widely known implementation. It seems like its original maintainers abandoned it after releasing version 0.5.3 on November 19th, 2008. Anyways, that version is still being taken care of by different communities, e.g. Debian most recently patched it to 0.5.3r550-3 on November 23rd, 2016.
  • As a system-independent candidate let's add OpenConnect. Its most recent release is from December 13th, 2016.

Now for a widely used and security critical network application, I find it likely that vulnerabilities are found regularly and that security fixes are published every so often. However, I also realise that by now all these applications have had plenty of time to go through a lot of hardening. So here's my question:

How much of an issue is long update intervals for VPN clients like the ones mentioned above?

schroeder
  • 123,438
  • 55
  • 284
  • 319
kremerd
  • 198
  • 5

1 Answers1

1

Shrewsoft hasn't been updated in 6 years either, but from your list if you look at OpenConnect CVEs there are a few listed over the years.

There are also various issues listed in Github. The issues normally centre around DoS for the client from certain responses, or crashes/bugs in the program when making a request. If your question was whether the encryption offered by a VPN is compromised in older programs, since they use well-defined algorithms that's probably not an issue. If your question is whether they can be used securely on a system without issue, that's probably not the case since they mostly require root access to create a network interface.

Running any software that is not regularly updated or well maintained increases the number of vectors available for a malicious actor for attack however, so wherever possible using software that is no longer updated should be avoided. Merely by installing them an issue might be created.

LTPCGO
  • 965
  • 1
  • 5
  • 22
  • 1
    Thanks for your answer! I think that you are making a very good point here, namely that securing communication and securing the communicating systems are two different concerns. That also lines up with well established best practices: Use VPNs to secure communication, but avoid installing extra software to secure systems. When viewed this way my question boils down to weighing up those two concerns. – kremerd Sep 06 '19 at 19:39