CVE-2021-40406

Vulnerability

The vulnerability resides in the cgiserver.cgi session creation functionality of the Reolink RLC-410W camera running firmware version v3.0.0.136_20121102. The camera maintains an in-memory session list that is updated by cgiserver.cgi, which removes out-of-date or invalid sessions. A specially-crafted HTTP request can pollute this list with a non-removable session, eventually filling the session list and preventing new logins [1].

Exploitation

An unauthenticated attacker with network access to the camera can send a crafted HTTP request. The cgiserver.cgi parses the request body as a JSON array of commands; by providing a malicious command sequence, the attacker can create a session entry that cannot be removed. No user interaction is required [1].

Impact

Successful exploitation results in a denial of service condition where legitimate users are unable to log into the camera. The attack does not affect confidentiality or integrity. The CVSSv3 score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) [1].

Mitigation

As of the publication date (2022-01-28), no firmware update or workaround has been released by Reolink. Users should monitor the vendor's support channels for a patch. The affected model (RLC-410W) is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].