The makers of the popular parental control system called Circle with Disney patched 23 vulnerabilities over the weekend. The bugs ran the gamut from memory corruption and denial of service, to SSL validation vulnerabilities and impact all devices managed on a network.
Circle with Disney is a $90 device made in partnership by Disney Interactive and Circle Media, introduced last year. It pairs wirelessly to a home Wi-Fi network and allows parents to manage devices on the network such as tablets, TVs or laptops. The affected model is Circle with Disney 2.0.1. Users are urged to patch devices, however Circle said patches were pushed out to connected devices over this past weekend.
User use iOS or Android apps to manage networked devices. However, it isn’t clear whether the iOS and Android devices running the apps are also vulnerable to attack.
“Through these exploitable vulnerabilities, a malicious attacker could gain various levels of access and privilege,” wrote Cisco Talos researchers who worked with Circle Media to mitigate against the near two-dozen vulnerabilities.
Of those flaws, one vulnerability (CVE-2017-12087) received a CVSS score of 10, the highest you can get. That was for a Tinysvcmdns Multi-label DNS Heap Overflow Vulnerability, according to Cisco Talos.
“An exploitable heap overflow vulnerability exists in the tinysvcmdns library version 2016-07-18. A specially crafted packet can make the library overwrite an arbitrary amount of data on the heap with attacker controlled values. An attacker needs send a dns packet to trigger this vulnerability,” researchers wrote.
Another bug, a command injection vulnerability (CVE-2017-2917), has a CVSS rating of 9.9. “An exploitable vulnerability exists in the notifications functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request trigger this vulnerability,” according to a Cisco Talos researcher.
One particularly menacing vulnerability (CVE-2017-12085), in the Circle Media with Disney software, could allow hackers to effectively use the Circle cloud infrastructure to attack other customer devices.
In total, 17 of the 23 CVSS scores were ranked 9.0 or higher. Successful attacks could of given adversaries the “ability to alter network traffic, execute arbitrary remote code, inject commands , install unsigned firmware, accept a different certificate than intended, bypass authentication, escalate privileges, reboot the device, install a persistent backdoor, overwrite files, or even completely brick the device,” Cisco Talos researchers.
“If an attacker were to gain access, a family’s online activity could be monitored and controlled from a malicious outside source, potentially putting the family’s personal information at risk,” wrote researchers.
Vulnerability disclosures by Cisco Talos to Circle Media occurred over several months this summer. The coordinated public disclosure was Oct. 31. Many Cisco Researchers are credited for finding the bugs including Marcin Noga, Cory Duplantis, Yves Younan, Claudio Bozzato, Lilith Wyatt, Aleksandar Nikolic and Richard Johnson.