CVE-2021-40404

Vulnerability

An authentication bypass vulnerability exists in the cgiserver.cgi Login functionality of Reolink RLC-410W firmware version 3.0.0.136_20121102 [1]. The camera enforces that only the Login API is usable without authentication, but the command parser accepts a JSON array of commands in the HTTP body. By including a non-Login command in the array alongside a Login command, an attacker can bypass the “please login first” check and execute arbitrary API commands without authentication [1].

Exploitation

An attacker can send a specially crafted HTTP POST request to the camera containing a JSON array object in the body. The array must include a cmd with value Login as one element, and any other desired command(s) in subsequent elements. No authentication, user interaction, or network position is required beyond network access to the device [1]. The parse_incoming_and_check_command function processes the array without properly enforcing the authentication check for each command, allowing the attacker to execute privileged commands.

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary API commands on the camera, bypassing the intended access control. This can lead to modification of device settings, retrieval of sensitive information (such as camera configuration or video stream access), and other unauthorized actions with the privileges of an authenticated user, resulting in a compromise of confidentiality and integrity of the device [1]. The CVSSv3 score is 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Mitigation

As of the publication date (2022-01-28), no fixed firmware version has been released by Reolink. Users should monitor the vendor’s support page for updates. Reolink RLC-410W devices running firmware version 3.0.0.136_20121102 are affected and no workaround is provided in the reference [1]. If the device reaches end-of-life, replacement is recommended.