Login Sign Up

CVE-2017-20123

8.8 HIGH

📋 TL;DR

This vulnerability in Viscosity VPN client allows attackers to execute arbitrary code by exploiting an untrusted search path issue in the DLL handler. Attackers can plant malicious DLLs in directories that Viscosity searches, leading to remote code execution. Users of Viscosity 1.6.7 and earlier versions are affected.

💻 Affected Systems

Products:
  • Viscosity VPN Client
Versions: 1.6.7 and earlier
Operating Systems: Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the DLL loading mechanism when Viscosity searches for required libraries.

📦 What is this software?

Viscosity by Sparklabs

View all CVEs affecting Viscosity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining administrative privileges, data theft, and persistent backdoor installation.

🟠

Likely Case

Attacker gains user-level access to execute arbitrary code, potentially stealing VPN credentials and network traffic.

🟢

If Mitigated

Limited impact if proper application whitelisting and DLL search path restrictions are in place.

🌐 Internet-Facing: MEDIUM - Requires attacker to trick user into downloading malicious file or accessing compromised network share.
🏢 Internal Only: HIGH - Internal attackers can exploit this via network shares or by placing malicious DLLs in accessible directories.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires user interaction or network access to place malicious DLL in search path. Public exploit code available on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.8

Vendor Advisory: https://www.sparklabs.com/blog/viscosity-for-mac-windows-version-1-6-8/

Restart Required: Yes

Instructions:

1. Download Viscosity 1.6.8 from official website. 2. Install over existing version. 3. Restart computer to ensure all components are updated.

🔧 Temporary Workarounds

Restrict DLL Search Path

windows

Use Windows Group Policy or application control to restrict DLL search paths for Viscosity.

Set-ProcessMitigation -Name viscosity.exe -Disable DynamicCode -Enable ForceRelocateImages

Remove Write Permissions

windows

Remove write permissions from directories in Viscosity's DLL search path that non-admin users can access.

icacls "C:\Program Files\Viscosity" /deny Users:(W)

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of unauthorized DLLs
  • Monitor for DLL planting in directories accessible to Viscosity process

🔍 How to Verify

Check if Vulnerable:

Check Viscosity version in Help > About menu. If version is 1.6.7 or earlier, system is vulnerable.

Check Version:

On Windows: wmic product where name="Viscosity" get version

Verify Fix Applied:

Verify version shows 1.6.8 or later in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected DLL loads from non-standard directories
  • Viscosity process loading DLLs from user-writable locations

Network Indicators:

  • Unusual network connections from Viscosity process
  • SMB connections to unexpected shares

SIEM Query:

process_name="viscosity.exe" AND (file_path="*\Users\*\*.dll" OR file_path="*\Temp\*.dll")

📊 Metadata

CVE ID: CVE-2017-20123
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-426
Published: June 30, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-20123, you might also want to check these:

CVE-2023-30330 9.8

SoftExpert Excellence Suite 2.x versions before 2.1.3 contain a Local File Inclusion vulnerability i...

Same vulnerability type (CWE-426)
CVE-2025-26155 9.8

This CVE describes an Untrusted Search Path vulnerability in NCP VPN clients that allows attackers t...

Same vulnerability type (CWE-426)
CVE-2022-26184 9.8

CVE-2022-26184 is an untrusted search path vulnerability in Poetry package manager versions 1.1.9 an...

Same vulnerability type (CWE-426)