Circle with Disney Weak Authentication Vulnerability(CVE-2017-2864)

### Summary An exploitable vulnerability exists in the generation of authentication token functionality of Circle with Disney. Specially crafted network packets can cause a valid authentication token to be returned to the attacker resulting in authentication bypass. An attacker can send a series of packets to trigger this vulnerability. ### Tested Versions Circle with Disney ### Product URLs https://meetcircle.com/ ### CVSSv3 Score 9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ### CWE CWE-639 - Authorization Bypass Through User-Controlled Key ### Details Circle with Disney is a network device used to monitor internet use of children on a given network. When making any requests to the Circle, an authenticated token must be provided. To request a token, a client specifies an `appid`, a unique string used to identify the client, as well as a `hash`, a `SHA1` hash to verify the client should have access to the device. One secret piece of information is a 4 digit pin. The `hash` is calculated by the following: ``` hash = SHA1(appid + pin) ``` The client provides both the `appid` and `hash`. Because the key space for the `pin` is only `10000`, an attacker can easily brute force this pin to retrieve an authentication token. With the authentication token in hand, an attacker can make available API calls. ### Timeline * 2017-07-13 - Vendor Disclosure * 2017-10-31 - Public Release ### CREDIT Discovered by Cory Duplantis, Yves Younan, Marcin 'Icewall' Noga, Claudio Bozzato, Lilith Wyatt <(^_^)>, Aleksandar Nikolic, and Richard Johnson of Cisco Talos.