Circle with Disney Weak Authentication Vulnerability(CVE-2017-2864)

### SummaryAn exploitable vulnerability exists in the generation of authentication token functionality of Circle with Disney. Specially crafted network packets can cause a valid authentication token to be returned to the attacker resulting in authentication bypass. An attacker can send a series of packets to trigger this vulnerability.### Tested VersionsCircle with Disney### Product URLshttps://meetcircle.com/### CVSSv3 Score9.8 – CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H### CWECWE-639 – Authorization Bypass Through User-Controlled Key### DetailsCircle with Disney is a network device used to monitor internet use of children on a given network.When making any requests to the Circle, an authenticated token must be provided. To request a token, a client specifies an `appid`, a unique string used to identify the client, as well as a `hash`, a `SHA1` hash to verify the client should have access to the device. One secret piece of information is a 4 digit pin. The `hash` is calculated by the following:“`hash = SHA1(appid + pin)“`The client provides both the `appid` and `hash`. Because the key space for the `pin` is only `10000`, an attacker can easily brute force this pin to retrieve an authentication token. With the authentication token in hand, an attacker can make available API calls.### Timeline* 2017-07-13 – Vendor Disclosure* 2017-10-31 – Public Release### CREDITDiscovered by Cory Duplantis, Yves Younan, Marcin 'Icewall' Noga, Claudio Bozzato, Lilith Wyatt <(^_^)>, Aleksandar Nikolic, and Richard Johnson of Cisco Talos.