A Disney-branded home internet filtering device might keep bad content out, but it was an open door to bad actors until earlier this month.
That's what Cisco Talos's William Largent found when he took a look at "Circle with Disney", a Circle Media parental control device on which the entertainment giant slapped its brand.
Whatever its qualities in filtering an screen time management, the US$99 box is riddled with 23 vulns, as the Talos post discloses.
The good news is that Talos described Circle Media as “exemplary to work with”, which is just as well when you've got to deal with backdooring, privilege escalation, remote code execution, authentication bypass, firmware substitution, certificate impersonation and more.
The backdoor arises in CVE-2017-12084, described in full here.
A remote client binary is meant to give admins remote cloud control of the device via a Meet Circle domain, but it lets an attacker send a sequence of packets to the device's SSH server, open a persistent backdoor, and send API calls to the server.
In CVE-2017-2865 (full description here), firmware is fetched over HTTP using wget, so an attacker can MITM the process and install their own firmware.
If the Circle with Disney device is visible to an attacker through the firewall (or installed outside the firewall), they can exploit CVE-2017-12087, a buffer overrun bug in the tinysvcmdns DNS responder.
Helpfully (to an attacker), CVE-2017-12085 provides one such path to the target device: “An exploitable routing vulnerability exists in the Circle with Disney cloud infrastructure. A specially crafted packet can make the Circle cloud route a packet to any arbitrary Circle device.”
Circle Media pushed updates to devices before Talos went public. ®