Disney-branded internet filter had Mickey Mouse security

23 vulnerabilities let rats run riot, even as kids' eyes were kept innocent

By Richard Chirgwin

Posted in Software, 1st November 2017 00:59 GMT

A Disney-branded home internet filtering device might keep bad content out, but it was an open door to bad actors until earlier this month.

That's what Cisco Talos's William Largent found when he took a look at "Circle with Disney", a Circle Media parental control device on which the entertainment giant slapped its brand.

Whatever its qualities in filtering an screen time management, the US$99 box is riddled with 23 vulns, as the Talos post discloses.

The good news is that Talos described Circle Media as “exemplary to work with”, which is just as well when you've got to deal with backdooring, privilege escalation, remote code execution, authentication bypass, firmware substitution, certificate impersonation and more.

The backdoor arises in CVE-2017-12084, described in full here.

A remote client binary is meant to give admins remote cloud control of the device via a Meet Circle domain, but it lets an attacker send a sequence of packets to the device's SSH server, open a persistent backdoor, and send API calls to the server.

In CVE-2017-2865 (full description here), firmware is fetched over HTTP using wget, so an attacker can MITM the process and install their own firmware.

If the Circle with Disney device is visible to an attacker through the firewall (or installed outside the firewall), they can exploit CVE-2017-12087, a buffer overrun bug in the tinysvcmdns DNS responder.

Helpfully (to an attacker), CVE-2017-12085 provides one such path to the target device: “An exploitable routing vulnerability exists in the Circle with Disney cloud infrastructure. A specially crafted packet can make the Circle cloud route a packet to any arbitrary Circle device.”

Circle Media pushed updates to devices before Talos went public. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

IETF mulls adding geoblock info to 'Bradbury's code'

Proposal to extend Error 451

Updating Things: IETF bods suggest standard

Proposal offers proper authentication, verification and over-the-air delivery

Dell forgot to renew PC data recovery domain, so a squatter bought it

Days later it served malware, but the only visible damage was to Dell's reputation

Facebook users pwnd by phone with account recovery vulnerability

Another lonely day, with no one but FB, oh... I'll send an SMS to the world

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

IETF moves meeting from USA to Canada to dodge Trump travel ban

15 per cent of potential attendees don't fancy trying to make it to San Francisco

Paranoid Android: Antivirus app-makers resolve MitM vulnerability

Attack loophole in Panda app sealed

'Amnesia' IoT botnet feasts on year-old unpatched vulnerability

New variant of 'Tsunami' is a disaster waiting to happen

Datto launches backup and disaster recovery technology to combat ransomware

Disaster-proofers merge: Axcient enclosed by eFolder

DRaaS-tic times call for DRaaS-tic measures