SparkLabs Blog.

The latest news and releases.


Viscosity For Mac & Windows: Version 1.8.4

Viscosity version 1.8.4 is now available for both macOS and Windows! This update includes two-factor token authentication improvements, an updated version of OpenSSL for OpenVPN 2.3, a low-severity security fix, and a number of small bug fixes and improvements for both platforms.

On the authentication side, a number of PKCS#11 issues have been addressed on both platforms, which should allow additional tokens and certificate/keys to be used for authentication. This should also resolve certain keys not working in the previous two releases of Viscosity.

Viscosity now also supports importing connections that include an inline username and password. These will automatically be loaded into the Keychain or Windows Credential Manager at import time for safe storage.

On the Mac Viscosity will now automatically detect when the "Disable Time Machine backups while connected" feature is blocked. macOS 10.15 requires that applications be granted the "Full Disk Access" privilege to enable or disable automatic backups. If granted, Viscosity will only use this privilege to enable/disable Time Machine backups, and only if the feature is enabled.

This update also contains two security related updates. Firstly, OpenVPN 2.3 is now updated to use OpenSSL 1.0.2u (OpenVPN 2.4 will continue to use OpenSSL 1.1.1d). With OpenSSL 1.0.2 now end of life, Viscosity will likely be dropping OpenVPN 2.3 later in the year (please keep in mind that OpenVPN 2.4 is backwards compatible with servers running older versions of OpenVPN).

Secondly, this update also addresses a low-severity security vulnerability (CVE-2020-5180). An attacker with local access could potentially run arbitrary code within Viscosity's OpenVPN sandbox by using a maliciously crafted OpenSSL engine and associated command. Such an attack is successfully contained within Viscosity's sandbox, which has de-elevated permissions and access restrictions, and so an attacker does not gain elevated local permissions (such as root or SYSTEM) on the machine and their actions are severely limited.

However, under macOS an attacker may be able to access on-disk VPN credentials (such as a certificate and private key) from other active OpenVPN connections that run within the sandbox at the same time. This does not apply to the Windows version. Because of this, we encourage those in multi-user macOS environments to update as soon as possible. Special thanks to Rich Mirch for identifying and reporting this issue.


Version 1.8.4 Mac Release Notes:

added
Import support for inline usernames and passwords
updated
OpenSSL updated to version 1.0.2u for OpenVPN 2.3
fixed
Resolves PKCS#11 issue using some RSA certificates
fixed
Resolves issue moving the menu icon on older versions of macOS
fixed
Detects if Time Machine backups could not be disabled due to macOS privileges
fixed
Resolves low-severity security vulnerability (CVE-2020-5180)
fixed
Various bug fixes and enhancements


Version 1.8.4 Windows Release Notes:

added
Import support for inline usernames and passwords
added
ECDSA support for CNG (--cryptoapicert)
added
TLS 1.3 RSA-PSS support for PKCS#11 and CNG (--cryptoapicert)
improved
Disabled DNS Mode functionality has been improved
updated
OpenSSL updated to version 1.0.2u for OpenVPN 2.3
fixed
Resolves an issue where connections failed on Windows Server Domain Controllers
fixed
Resolves issue with PKCS#11 connections using ECDSA keys
fixed
Resolves low-severity security vulnerability (CVE-2020-5180)
fixed
Resolves regression that could cause some connections to fail on 32-bit installations (Build 1651)
fixed
Various bug fixes and enhancements

The 1.8.4 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.