Viscosity update necesary for everyone for security reasons



Infrastructure & Operations
6 years ago
3 years ago


(Reporter: michal, Assigned: Guillermo Huerta [Disabled MoCo account])



Viscosity versions before 1.4.2 has a serious security bug that allows every local user to obtain root privileges.

Exploits for this bug are online and can be found easily. I have tested them and they are working, giving me a root shell every time.

This issue is not exploitable remotely - attacker first needs to find a way to execute local code on the system. But once he gets it nothing will stop the attack - no countermeasures exist for Viscosity other than updating it.

Viscosity 1.4.2 has just been released and it fixes this bug.

It also hardens it against similar problems in the future and has other security important changes.

We need your help to update everyone who is using it.

The fact that the bug is not exploitable remotely helps only a little - a determined and skilled attacker can usualy get user to execute malicious code - with attack on the browser, java, social engineering, etc.


From the Changelog:

Viscosity is available for Windows XP, Vista & 7 as well! Please visit the website for details.

The changelog reads:
Version 1.4.2:
Viscosity will now automatically switch between OpenVPN 2.2 and 2.3 as needed
OpenVPN version can be manually selected under Preferences>Advanced
Support for the Notification Center under Mac OS 10.8
Security: Fixes a potential privilege escalation attack caused by exploiting the behaviour of ViscosityHelper and the Python framework (CVE-2012-4284).
Security: ViscosityHelper hardened against privilege escalation attacks
Security: By default Viscosity no longer allows for potentially dangerous OpenVPN commands to be used, including up and down scripts. Viscosity's scripting support is not affected.
OpenVPN 2.3 patched to restore HTTP proxy support
DNS stability improvements when running under Mac OS 10.7 and 10.8
Fixes issue exporting zipped connections under Mac OS 10.8
Fixes issue enabling automatic IPv6 on TAP interfaces under Mac OS 10.8
Fixes issue importing a connection with non-ASCII characters under Mac OS 10.8
Fixes issue importing some TCP based connections
Fixes issue auto-detecting the version of OpenVPN to use (build 1092)
Various bug fixes and enhancements
Summary: Viscosity update necesary for everyone in Moco for security reasons → Viscosity update necesary for everyone for security reasons
Severity: normal → major

Comment 1

6 years ago

We need to rollout an updated version of Viscosity. How do you normally handle updates like this?
We don't have a method to push the update.  We will work on a rollout plan next week.
Assignee: desktop-support → ghuerta
Just for the record, there was a Yammer announcement and an email sent to all@ on 9/1 informing people that they needed to upgrade.
It would be nice to maybe work for us (desktop+opsec) on a procedure what to do in cases like this, in the future.

Other than that, thank you for the announcement and email!
Michal can you confirm that this only affects OS X users.
Yes, this only affects OS X users.
Since we do not have admin on user machines, is there another step here or can this bug be closed?
You may close this bug. Thank you for a prompt reaction!
Desktop has a mana page with all registered licenses of OSX Viscosity users. I will send an e-mail to the 250 users on this page to remind them to perform the update.
That's a great idea!

I will open another bug when Tunnelblick update is released - the same kind of problems but have to test the exploits on more than one system. The production ready update hasn't been released by Tunnelblick team yet, there's only some -devel, and the team is not sure if it won't break something, so we cannot deploy it for users for now.

People using OpenVPN directly from Linux cmd line and various kinds of Network Managers (KDE, Gnome) are not affected. The problem is NOT in OpenVPN itself, that's just OS X.
Last Resolved: 5 years ago
Resolution: --- → FIXED
Product: → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.