A vulnerability was found in Circle with Disney (Endpoint Management Software) (affected version not known). It has been rated as critical. Affected by this issue is an unknown part of the component Auth Token Handler. The manipulation as part of a Network Packet leads to a improper authentication vulnerability. Using CWE to declare the problem leads to CWE-287. When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. Impacted is confidentiality, integrity, and availability. CVE summarizes:

An exploitable vulnerability exists in the generation of authentication token functionality of Circle with Disney. Specially crafted network packets can cause a valid authentication token to be returned to the attacker resulting in authentication bypass. An attacker can send a series of packets to trigger this vulnerability.

The bug was discovered 10/31/2017. The weakness was released 11/07/2017 (Website). The advisory is shared for download at talosintelligence.com. This vulnerability is handled as CVE-2017-2864 since 12/01/2016. The attack may be launched remotely. No form of authentication is required for exploitation. There are neither technical details nor an exploit publicly available.

The vulnerability was handled as a non-public zero-day exploit for at least 7 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Entries connected to this vulnerability are available at 109200, 109199, 109198 and 109197.

Productinfo

Type

• Endpoint Management Software

Name

• Circle with Disney

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion