SparkLabs Blog.

The latest news and releases.


Viscosity For Mac & Windows: Version 1.9.4

Viscosity version 1.9.4 is now available for both macOS and Windows! This update is a security release and includes an important security fix for the macOS version, OpenSSL updates for both platforms, and a number of small bug fixes.

On the macOS side, a privilege escalation vulnerability has been identified that could potentially allow a local user to gain elevated privileges with a maliciously crafted update bundle. Local machine access is required, it cannot be exploited remotely, and it does not affect the security of VPN connections. However, as it potentially allows a standard user to gain admin (root) permissions, we've classified it as a high severity issue. We strongly encourage all macOS users to update to version 1.9.4 as soon as possible, particularly those in multi-user or enterprise environments. Special thanks to AfkVkas for taking a look at Viscosity and identifying this attack chain.

While the Windows version is not affected by this issue, we've taken the opportunity to perform some additional hardening of the service in this update. Both versions also include an updated version of OpenSSL and several small bug fixes.


Version 1.9.4 Mac Release Notes:

updated
OpenSSL updated to version 1.1.1l
fixed
Security: Resolves a local privilege escalation vulnerability during helper update
fixed
Resolves issue where the connection editor may display the wrong device type
fixed
Resolves issue that could cause proxy authentication to fail
fixed
Resolves issue that could helper connections to fail on certain machines (build 1578)
fixed
Various bug fixes and enhancements


Version 1.9.4 Windows Release Notes:

added
Initial Windows 11 compatibility
improved
High DPI scaling improvements
updated
OpenSSL updated to version 1.1.1l
updated
VPN Network Adapter driver updated
fixed
Resolves a rare issue where a crash can occur opening certain windows
fixed
Multiple lines can be added at the same time to Advanced Commands in the connection editor
fixed
Various bug fixes and enhancements

The 1.9.4 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.

Viscosity For Mac & Windows: Version 1.9.3

Viscosity version 1.9.3 is now available for both macOS and Windows! This update includes a number of improvements, including refined support for Apple Silicon (M1) Macs, updated versions of both OpenVPN and OpenSSL, and a number of small bug fixes.

In particular, the Mac version has been updated to automatically detect common DNS misconfigurations and add a warning where appropriate. Problems such as unreachable servers, DNS servers routed through the wrong network interface, use of reserved DNS domains, conflicting DNS domains, and so forth, will be now identified and additional information added to the connection log. We anticipate this should greatly simplify troubleshooting DNS problems for users and administrators unfamiliar with macOS's DNS resolver system.

This version also updates OpenVPN to version 2.4.11 for both Mac and Windows. While this OpenVPN update addresses a potentially serious security issue, it only affects OpenVPN servers. Viscosity clients are unaffected.

Finally, this version also updates OpenSSL to version 1.1.1k for both platforms.

As a follow-up, we're pleased to report that Apple have confirmed that they've resolved the underlying problem (that could cause macOS updates to stall) that necessitated the previous 1.9.2 release of Viscosity with a workaround. This has been resolved in the recent macOS 11.3 update. While we'll leave Viscosity's workaround in place for the foreseeable future (out of an abundance of caution), updating to macOS 11.3 and onwards should always go smoothly, even if an older version of Viscosity is being used.


Version 1.9.3 Mac Release Notes:

improved
Obfuscation will now run natively on Apple Silicon Macs
improved
Potential DNS configuration problems are now detected and added to the log
updated
OpenVPN 2.4 updated to version 2.4.11
updated
OpenSSL updated to version 1.1.1k
fixed
Resolves crash that could occur when deleting a connection
fixed
Resolves crash that could occur when cancelling a U2F authentication attempt
fixed
Resolves issue quitting with an active VPN connection on some Apple Silicon Macs
fixed
Resolves issue where a connection may incorrectly fallback to the next remote endpoint
fixed
Resolves issue that could cause certain dynamic challenge requests to fail
fixed
Various bug fixes and enhancements


Version 1.9.3 Windows Release Notes:

updated
OpenSSL updated to version 1.1.1k
updated
OpenVPN updated to version 2.4.11
fixed
Resolves a rare issue where DNS Servers could be queried out of order
fixed
Resolves a potential hang when entering registration details (Build 1723)
fixed
Various bug fixes and enhancements

The 1.9.3 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.

Viscosity For Windows: Version 1.9.2

Viscosity version 1.9.2 is now available for Windows! This update is primarily a maintenance release with bug fixes and small enhancements.

This release focuses on improving support for High DPI Scaling and multi-monitor setups on Windows. In particular, Viscosity will now fully handle setups where the DPI scaling varies from monitor to monitor, and support for High DPI user interface elements has been improved. To allow for DPI Scaling improvements, Viscosity now also requires .NET 4.8 or later.

Finally, we’ve also identified and fixed an issue that could cause a DNS domain to fail to be correctly used as a DNS suffix when using the legacy OpenVPN TAP Adapter.


Version 1.9.2 Windows Release Notes:

improved
DPI Scaling now performs correctly across monitors with different scaling
improved
High DPI Scaling support enhancements
updated
.NET 4.8 is now required
fixed
Locally defined automatic proxies will now be correctly set for all adapter types
fixed
Resolves issue where a DNS domain may not be set as a DNS search suffix
fixed
Various bug fixes and enhancements

The 1.9.2 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.

Viscosity For Mac: Version 1.9.2

Viscosity version 1.9.2 is now available for macOS! This is a small update designed to address a single issue related to system updates on macOS 11 (Big Sur). Version 1.9.1 remains the latest Windows version.

We've identified a situation where Viscosity could inadvertently trigger a bug in the macOS update process when updating macOS 11 from version 11.0 or 11.1 to version 11.2.x. This bug can result in the update process stalling at a black screen (with an Apple logo and progress bar) for affected installs.

While this appears to be a bug in the macOS update process, and not directly with Viscosity itself, as it is highly disruptive to those impacted we've elected to push out this update with a workaround in Viscosity to avoid it. If you're running macOS 11 and haven't yet updated it to the latest version, we strongly encourage you to update Viscosity to version 1.9.2 before proceeding.

It's only possible for this bug to be triggered in a small number of instances, and so the vast majority of Viscosity users will not be impacted. Users not updating between the above versions of macOS shouldn't be affected. Users connecting TUN connections are not affected. Users connecting TAP connections may be affected depending on the VPN configuration and cached network settings.

If you've already tried updating macOS 11 and the update has stalled, you can boot your computer into Safe Mode (please note that the process differs between Intel and Apple Silicon Macs) and re-run the update from there. It may be necessary to download and run the full macOS 11 installer from the App Store to complete the update. It is not necessary to erase your computer or restore from Time Machine. If you're unable to boot your computer into Safe Mode, then the cause for the stalled update is unlikely to be related to Viscosity.

Special thanks to Tobias Punke for initially reporting this issue.


Version 1.9.2 Mac Release Notes:

fixed
Workaround for bug in the macOS 11.2 updater that could be triggered by certain VPN connections resulting in a stalled update

The 1.9.2 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.

Viscosity For Mac & Windows: Version 1.9.1

Viscosity version 1.9.1 is now available for both macOS and Windows! This update is primarily a maintenance release, and includes improved support for macOS 11, improved compatibility with OpenVPN configurations, updated OpenVPN and OpenSSL versions, and a number of small bug fixes and improvements for both platforms.

In particular, on the Mac side there have been a number of behind-the-scenes fixes and enhancements to improve compatibility and performance with macOS 11 (Big Sur). Support for Macs with Apple Silicon (M1) processors has also been improved.

Both the Mac and Windows versions will now also correctly handle the use of data-ciphers and related commands by automatically re-mapping them to the equivalent OpenVPN 2.4 commands.

Finally, this version also updates OpenVPN to version 2.4.10, and OpenSSL to version 1.1.1i, for both platforms.


Version 1.9.1 Mac Release Notes:

improved
Improved support for macOS 11 (Big Sur)
improved
Automatic remapping of data-ciphers and related commands
improved
Small improvements to the display of custom routes
updated
OpenVPN 2.4 updated to version 2.4.10
updated
OpenSSL updated to version 1.1.1i
fixed
Common system environment variables are now available to AppleScripts
fixed
Resolves issue that could prevent VPN connections from starting after a large number of reconnects
fixed
Resolves an issue that could cause rapid reconnects on a cipher mismatch
fixed
Various bug fixes and enhancements


Version 1.9.1 Windows Release Notes:

improved
Automatic remapping of data-ciphers and related commands
improved
Routes can now be modified in the configuration editor
updated
OpenVPN updated to version 2.4.10
updated
OpenSSL updated to verion 1.1.1i
fixed
Resolves a rare issue where some DNS lookups failed
fixed
Various bug fixes and enhancements

The 1.9.1 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.

Viscosity For Mac & Windows: Version 1.9

Viscosity 1.9 is now available for both macOS and Windows! This is one of our biggest updates yet, with significant changes under-the-hood and many new features.

One of the most anticipated additions in version 1.9 is support for macOS 11 (Big Sur). Viscosity now supports and integrates with macOS 11, and all of Viscosity's existing functionality is fully supported (including TAP support - more on that below).

We've also ported Viscosity to have complete native support for the upcoming Apple Silicon (ARM) Macs. Viscosity and your VPN connections will run at native speed to take full advantage of the new processor architecture and power savings.

Version 1.9 also introduces driverless TAP (bridged) connection support on macOS. This is something we are particularly enthusiastic about: if you use TAP (bridged) OpenVPN connections you'll no longer need to manually approve a kernel extension to load before you're able to connect. This will also make deployment much easier in enterprise environments. And best of all, our approach fully supports macOS 11.

On the Windows side, version 1.9 introduces a brand-new VPN network adapter driver for Windows 10 2004 and later. This driver has been written from the ground up for modern Windows 10 machines. It does away with using legacy system frameworks to help optimise performance and lower resource usage. It also includes privacy improvements, such as generating a random ethernet (MAC) address each time you connect, as well as better support for custom MTU values and custom MAC addresses (using the lladdr command) for TAP connections.

A common request from Viscosity power users is for more powerful scripting support, and we're pleased to be able to say we've done just that. Both AppleScript scripts on macOS, and Batch scripts on Windows now have access to connection details, making it easier to write scripts that respond to different network changes. This also makes it easier to share scripts between connections, or even different users.

It's now also possible for Before-Connect scripts to return username and password credentials, making it easy to craft custom authentication prompts, integrate with custom authentication systems, or manually handle credential storage.

The Windows version also updates the DNS system to improve the reliability of Network Location Awareness (NLA) when connected to a VPN on newer versions of Windows 10. This should resolve an issue where certain applications, such as Microsoft Office, may be unable to use network services while connected. Also addressed in the Windows update is a low-severity security vulnerability that could allow certain libraries to be side-loaded from the same directory when the Windows installer is run. Thank you to Vladimir Dubrovin for reporting this.

It's also important to note that this update drops support for OpenVPN 2.3. Viscosity will still be able to connect to servers running OpenVPN 2.3 or older versions, however OpenVPN 2.4 will now be used client-side. For the vast majority of users no migration changes are needed and connections will automatically work. However if you've updated and can no longer connect please refer to our migration guide.

Finally, version 1.9 also includes many more small improvements and bug fixes. For further information please refer to the release notes below.


Version 1.9 Mac Release Notes:

added
Support for macOS 11 (Big Sur)
added
New driverless TAP support for macOS 10.15+
added
Complete native support for Apple Silicon (ARM) Macs
added
Connection details are now accessible from AppleScript scripts
added
Before-Connect scripts are now able to return a username and password
improved
Support for DNS servers assigned using DHCPv6
improved
Unreachable DNS servers are now detected and handled
improved
Additional details added to logging of connection state changes
improved
Additional compression options have been added to the editor
improved
Viscosity will prompt for confirmation when quit using Cmd-Q
updated
OpenSSL updated to version 1.1.1h
fixed
Resolves issue that could cause the helper to fail to automatically update
fixed
Resolves issue running pushed user connection scripts
fixed
DNS resolution issue after a TAP connection reconnect resolved
fixed
Various bug fixes and enhancements
removed
OpenVPN 2.3 removed
removed
macOS 10.12 is no longer supported


Version 1.9 Windows Release Notes:

added
New adapter driver for Windows 10 2004+
added
Connection details are now accessible from Batch and VBS scripts
added
Before-Connect scripts are now able to return a username and password
added
Scripting command added to list all connections as a JSON parsable string
improved
Connection-specific DNS Suffix Search List is now used instead of the global list on Windows 10 1809+
improved
IPv6 SLAAC/RA TAP support has been improved
improved
NCSI and NLA support on Windows 10 2004+ has been improved
improved
Additional compression options have been added to the editor
updated
OpenSSL updated to verion 1.1.1h
fixed
An issue where an extraneous adapter was sometimes left behind after a failed connection attempt no longer occurs
fixed
A rare issue where a connection would become stuck in the creating state has been fixed
fixed
Inline auth-user-pass is now imported correctly
fixed
Resolves low-severity security vulnerability in the installer that could allow library side-loading
fixed
Resolves an issue connecting to some 2FA enabled servers (Build 1695)
fixed
Various bug fixes and enhancements
removed
OpenVPN 2.3 removed

The 1.9 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.

Viscosity For Mac & Windows: Version 1.8.6

Viscosity version 1.8.6 is now available for both macOS and Windows! This update brings a number of small improvements, updated OpenVPN and OpenSSL versions, two-factor authentication enhancements, and small bug fixes.

In particular, on the macOS side U2F support has been overhauled to offer a smoother device registration process as well as support for additional devices. It also lays the groundwork for FIDO2 support in a future update to Viscosity.

The Windows version has also overhauled remote server endpoint selection to match the Mac version's functionality. In particular, the Windows version now also supports round-robin DNS for server domains that resolve to multiple IP addresses. Reachability checking at the start of a connection has also been improved, with local reachability problems detected sooner.

The macOS version also resolves two issues that could result in a connection appearing stuck in a "Disconnecting" state after waking the computer from sleep. This was caused by rapid Power Nap or Wake-on-LAN events causing the computer to wake for very short periods of time. Viscosity should now handle these short wake events correctly.

Finally, this version also updates OpenVPN to version 2.4.9, and OpenSSL to version 1.1.1g, for both platforms.


Version 1.8.6 Mac Release Notes:

added
Additional U2F devices are now supported
improved
Improves flow of U2F registration and authentication
improved
Server generated explicit-exit-notify messages are now supported
updated
OpenVPN 2.4 updated to version 2.4.9
updated
OpenSSL updated to version 1.1.1g
fixed
Resolves a potential VPN connection hang after a Power Nap event
fixed
Resolves a potential VPN connection hang after a rapid WoL event
fixed
OpenVPN will no longer fail to start if tmp directory permissions are incorrect
fixed
Resolves a rare potential crash in Viscosity's helper tool
fixed
Various bug fixes and enhancements


Version 1.8.6 Windows Release Notes:

added
Fallback support for servers using a round-robin DNS record
improved
Reachability checking and endpoint selection has been improved
improved
Server generated explicit-exit-notify messages are now supported
updated
Updates OpenVPN to version 2.4.9
updated
Updates OpenSSL to version 1.1.1g
fixed
Resolves an issue that could cause a reachability check to fail when using a proxy server
fixed
Resolves a rare issue where dropouts of TCP VPN connections were not detected
fixed
A DHCP specified gateway on TAP connections will no longer override the Send All Traffic option
fixed
Resolves an issue that could cause reachability checks to fail using some protocols (Build 1681)
fixed
Resolves an issue that could cause reachability checks to fail upon server fallback (Build 1682)
fixed
Various bug fixes and enhancements

The 1.8.6 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.

Viscosity For Mac & Windows: Version 1.8.5

Viscosity version 1.8.5 is now available for both macOS and Windows! This update is primarily a maintenance release to keep Viscosity and your VPN connections running smoothly.

In light of the COVID-19 pandemic, we've limited this update to bug fixes and small improvements only, with no major changes. We've received countless reports of Viscosity playing a widespread and vital role for businesses and educational institutions with staff working from home. In such an environment the last thing we want is for changes to Viscosity's behaviour or user interface to surprise users or add additional workload to already overburdened staff.

On the macOS side, this update resolves a number of rare crashes that have been reported to us, as well as an issue that could prevent custom menu item scripts in a bundled version of Viscosity from running. An issue where Full DNS wouldn't be applied when using a split-routed TAP/bridged connection using DHCP for IP assignment has also been resolved.

The Windows version has a number of small improvements to both the DNS and networking to improve reliability, especially in certain enterprise setups. In particular, Viscosity is now better able to prevent loopback DNS settings remaining in rare situations caused by a Windows crash or surprise hardware removal. An issue where users may not get prompted for their U2F credentials on some Windows 10 machines has been resolved, as well as an issue that could cause VPN connections to fail to automatically reconnect.

We’re also aware of difficulty using the SafeNet Authentication Client (SAC) PKCS#11 driver with Viscosity 1.8.4 and earlier on macOS 10.15. The driver does not conform to macOS 10.15's dynamic library linking requirements, and so macOS blocks it from loading. We've been informed that updating to the latest version of the driver (10.2 Post GA R2) should resolve this. For those stuck on older versions of the driver, we've also managed to implement a workaround in Viscosity to allow the driver to load.

We've also received reports of two enterprise security software packages, namely "SentinelOne" and "Digital Guardian", causing Viscosity to crash under macOS 10.15. Users have reported crashes when attempting to launch Viscosity, when attempting to connect a VPN connection, or when clicking on a password field. The fault lies with these software packages being incompatible with macOS 10.15's "hardened runtime" requirement. The developers of both software packages have reported this has been fixed in their respective latest versions. If you are using a workplace-supplied device and are experiencing these crashes, please ask your IT staff to update the relevant software to the latest version.

Users with TAP connections upgrading to macOS 10.15.4 may also receive a "Legacy System Extension" warning from macOS, indicating that future versions of macOS may no longer support the TAP driver. Rest assured that we have already been working on a solution for the next major version of macOS.

Finally, this update also updates OpenSSL to version 1.1.1f for both platforms.


Version 1.8.5 Mac Release Notes:

improved
Workaround to allow the PKCS#11 driver for SafeNet tokens to load
updated
OpenSSL updated to version 1.1.1f
fixed
Resolves issue with Full DNS mode on split-routed TAP connections using DHCP assignment
fixed
Resolves issue that could prevent custom menu item scripts from running
fixed
Resolves a rare potential crash when disconnecting a VPN connection
fixed
Resolves a rare potential crash in Viscosity's helper tool
fixed
Various bug fixes and enhancements
removed
OS X 10.11 is no longer supported


Version 1.8.5 Windows Release Notes:

improved
Viscosity DNS now uses unique loopback IP addresses
improved
Network Profiles will now be cleaned up when a connection is removed
updated
Updates OpenSSL to version 1.1.1f
fixed
Resolves an issue where U2F Windows Security dialog was not appearing on some machines
fixed
Resolves an issue where automatic reconnections sometimes didn't occur after a dropout
fixed
Resolves an issue where Use Windows DNS option was sometimes not observed
fixed
Resolves a rare issue that could cause some connection attempts to fail (build 1665)
fixed
Various bug fixes and enhancements

The 1.8.5 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.

Viscosity For Mac & Windows: Version 1.8.4

Viscosity version 1.8.4 is now available for both macOS and Windows! This update includes two-factor token authentication improvements, an updated version of OpenSSL for OpenVPN 2.3, a low-severity security fix, and a number of small bug fixes and improvements for both platforms.

On the authentication side, a number of PKCS#11 issues have been addressed on both platforms, which should allow additional tokens and certificate/keys to be used for authentication. This should also resolve certain keys not working in the previous two releases of Viscosity.

Viscosity now also supports importing connections that include an inline username and password. These will automatically be loaded into the Keychain or Windows Credential Manager at import time for safe storage.

On the Mac Viscosity will now automatically detect when the "Disable Time Machine backups while connected" feature is blocked. macOS 10.15 requires that applications be granted the "Full Disk Access" privilege to enable or disable automatic backups. If granted, Viscosity will only use this privilege to enable/disable Time Machine backups, and only if the feature is enabled.

This update also contains two security related updates. Firstly, OpenVPN 2.3 is now updated to use OpenSSL 1.0.2u (OpenVPN 2.4 will continue to use OpenSSL 1.1.1d). With OpenSSL 1.0.2 now end of life, Viscosity will likely be dropping OpenVPN 2.3 later in the year (please keep in mind that OpenVPN 2.4 is backwards compatible with servers running older versions of OpenVPN).

Secondly, this update also addresses a low-severity security vulnerability (CVE-2020-5180). An attacker with local access could potentially run arbitrary code within Viscosity's OpenVPN sandbox by using a maliciously crafted OpenSSL engine and associated command. Such an attack is successfully contained within Viscosity's sandbox, which has de-elevated permissions and access restrictions, and so an attacker does not gain elevated local permissions (such as root or SYSTEM) on the machine and their actions are severely limited.

However, under macOS an attacker may be able to access on-disk VPN credentials (such as a certificate and private key) from other active OpenVPN connections that run within the sandbox at the same time. This does not apply to the Windows version. Because of this, we encourage those in multi-user macOS environments to update as soon as possible. Special thanks to Rich Mirch for identifying and reporting this issue.


Version 1.8.4 Mac Release Notes:

added
Import support for inline usernames and passwords
updated
OpenSSL updated to version 1.0.2u for OpenVPN 2.3
fixed
Resolves PKCS#11 issue using some RSA certificates
fixed
Resolves issue moving the menu icon on older versions of macOS
fixed
Detects if Time Machine backups could not be disabled due to macOS privileges
fixed
Resolves low-severity security vulnerability (CVE-2020-5180)
fixed
Various bug fixes and enhancements


Version 1.8.4 Windows Release Notes:

added
Import support for inline usernames and passwords
added
ECDSA support for CNG (--cryptoapicert)
added
TLS 1.3 RSA-PSS support for PKCS#11 and CNG (--cryptoapicert)
improved
Disabled DNS Mode functionality has been improved
updated
OpenSSL updated to version 1.0.2u for OpenVPN 2.3
fixed
Resolves an issue where connections failed on Windows Server Domain Controllers
fixed
Resolves issue with PKCS#11 connections using ECDSA keys
fixed
Resolves low-severity security vulnerability (CVE-2020-5180)
fixed
Resolves regression that could cause some connections to fail on 32-bit installations (Build 1651)
fixed
Various bug fixes and enhancements

The 1.8.4 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.

Viscosity For Mac & Windows: Version 1.8.3

Viscosity version 1.8.3 is now available for both macOS and Windows! This update is primarily a small maintenance release with bug fixes and minor enhancements.

Most notably, Viscosity will now prompt to allow connections to OpenVPN setups with certificates where a weak CA digest is detected. This should make it easier to connect to legacy servers without the need to manually adjust any advanced commands.

The Mac update also addresses a regression that could cause EC keys on PKCS#11 devices to be unusable, as well as some small fixes when running on older versions of macOS.


Version 1.8.3 Mac Release Notes:

improved
Viscosity will now prompt to allow a weak CA digest if detected
fixed
Resolves issue using EC keys on PKCS#11 devices
fixed
Resolves a potential hang on older versions of macOS when importing connections
fixed
Resolves a tap-to-click issue with the main menu on older versions of macOS
fixed
Resolves a potential crash when importing a connection (build 1521)
fixed
Various bug fixes and enhancements


Version 1.8.3 Windows Release Notes:

improved
Viscosity will now prompt to allow a weak CA digest if detected
improved
Minor user interface improvements
fixed
Various bug fixes and enhancements

The 1.8.3 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.