Disney-branded internet filter had Mickey Mouse security

23 vulnerabilities let rats run riot, even as kids' eyes were kept innocent

By Richard Chirgwin


A Disney-branded home internet filtering device might keep bad content out, but it was an open door to bad actors until earlier this month.

That's what Cisco Talos's William Largent found when he took a look at "Circle with Disney", a Circle Media parental control device on which the entertainment giant slapped its brand.

Whatever its qualities in filtering an screen time management, the US$99 box is riddled with 23 vulns, as the Talos post discloses.

The good news is that Talos described Circle Media as “exemplary to work with”, which is just as well when you've got to deal with backdooring, privilege escalation, remote code execution, authentication bypass, firmware substitution, certificate impersonation and more.

The backdoor arises in CVE-2017-12084, described in full here.

A remote client binary is meant to give admins remote cloud control of the device via a Meet Circle domain, but it lets an attacker send a sequence of packets to the device's SSH server, open a persistent backdoor, and send API calls to the server.

In CVE-2017-2865 (full description here), firmware is fetched over HTTP using wget, so an attacker can MITM the process and install their own firmware.

If the Circle with Disney device is visible to an attacker through the firewall (or installed outside the firewall), they can exploit CVE-2017-12087, a buffer overrun bug in the tinysvcmdns DNS responder.

Helpfully (to an attacker), CVE-2017-12085 provides one such path to the target device: “An exploitable routing vulnerability exists in the Circle with Disney cloud infrastructure. A specially crafted packet can make the Circle cloud route a packet to any arbitrary Circle device.”

Circle Media pushed updates to devices before Talos went public. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Net's druids thrash out specs for an independent IETF

This matters because right now there's no formal structure, which makes things tenuous

Customers baffled as Citrix forces password changes for document-slinging Sharefile outfit

No reason to panic, apparently: Redoing login details to become a regular thing

Goodbye Netscaler, Xen. Hello Citrix SD-WAN, Citrix Desktop, Citrix...

Exclusive Devs toil away unifying product suites ahead of May rebrand launch

Wait, what? Citrix Receiver sessions run on crocked crypto!

Fixed now, as Receiver 4.12 for Windows deprecates unsound ciphers, if you want 404s mentions of F5 Networks

Recently-litigious Citrix sinks competitive FUD docs. Why might that be?

EU Citrix Cloud users experiencing non-virtual problems starting up their virtual desktops

Engineers too busy looking for missing-in-action SD-WAN 10.1.1?

Citrix snuffs Xen and NetScaler brands

Arise, ‘Citrix Hypervisor’ and ‘ Citrix SD-WAN’

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

Pesky 'restructuring charges' make off with Citrix's cloudy cash

Otherwise all is well, insists corporate headshed

Citrix opens its third cloud region, this time in Australia

Co-incidence much that it’ll run in Azure, and Microsoft just scored better security creds down under?