Cisco Talos researchers found 22 vulnerabilities in the Circle with Disney web filter, seven of which were assigned a CVSS base score of 9.6 or higher.
Cisco Talos researchers found 22 vulnerabilities in the Circle with Disney web filter, seven of which were assigned a CVSS base score of 9.6 or higher.

A Disney-branded internet filter designed to weed out objectionable content and monitor children's screen-time underwent automatic patching on Tuesday after researchers discovered multiple vulnerabilities that could have exposed users to cyberattacks.

In a Tuesday blog post, researchers from Cisco's Talos threat intelligence group cited 22 bugs in the "Circle with Disney" filter, which pairs wirelessly with home WiFi networks and allows parents to manage a viewing habits on any connected screen device. The filters can be controlled using a corresponding app for iOS and Android, which enables device owners to create unique profiles for each family member and adjust each user's settings accordingly.

According to Talos, the vulnerabilities could have allowed attackers to "gain various levels of access and privilege, including the ability to alter network traffic, execute arbitrary remote code, inject commands, install unsigned firmware, accept a different certificate than intended, bypass authentication, escalate privileges, reboot the device, install a persistent backdoor, overwrite files, or even completely brick the device."

Seven of the 22 vulnerabilities were assigned a Common Vulnerability Scoring Systems (CVSS) base score of 9.6 or higher. Talos privately reported the flaws between July and September of 2017.

"We've been working very closely with the Talos team on their findings and worked quickly to issue firmware updates," said Circle with Disney developer Circle Media, in a statement. Indeed, Talos praised Circle Media for its responsiveness and its decision to push out security updates to customers rather than relying on Circle with Disney users to update the product on their own.

A Circle Media spokesperson also told SC Media via email that in order for the discovered vulnerabilities to be exploited, an attacker "would already have to be on the user's home network" -- an important distinction that did not appear in the Talos blog post. However, in a separate email interview, Talos threat researcher Bill Largent told SC Media that two of the vulnerabilities actually would not have required home network access to exploit.

The first of these two remotely exploitable vulnerabilities is CVE-2017-12085, a token routing vulnerability within the Circle with Disney cloud infrastructure. "This vulnerability is really interesting because a malicious threat actor could basically leverage the Circle cloud infrastructure to attack other customer devices," said Largent. "We've seen a proliferation of supply chain attacks and exploitation of trust relationships over the course of this year." 

The other is CVE-2017-12096, a WiFi security downgrade vulnerability. "...If someone stood up a rogue WiFi router with the spoofed SSID, they could get the Circle device connected directly to the rogue WiFi router," Largent explained.

Among the most serious bugs, each with a CVSS score of 9.9, are a trio of OS command injection vulnerabilities that could have been exploited with malicious HTTP requests containing specially crafted network packets. These bugs were found, respectively, within Circle of Disney's notifications functionality (CVE-2017-2917), API Management configuration restore functionality (CVE-2017-2890), and API Management configuration back-up functionality (CVE-2017-2866).

Other highly critical bugs were described by Talos as a "firmware update signature check bypass vulnerability" (CVE-2017-2898), and a "configuration restore photos file overwrite vulnerability" (CVE-2017-2916).