CVE-2021-40410

Vulnerability

The vulnerability resides in the device network settings functionality of Reolink RLC-410W firmware version 3.0.0.136_20121102. The SetLocal API accepts a dns1 parameter that is stored in dns_data->dns1 and later used in an OS command without proper validation, leading to command injection. The affected version is explicitly v3.0.0.136_20121102 [1].

Exploitation

An attacker must be authenticated to the camera's web interface (privileged access) and send a specially crafted HTTP request to the SetLocal API with a malicious dns1 value containing command injection payloads. No user interaction beyond the attacker's own actions is required. The advisory notes that the API is privileged, so the attacker must have valid credentials [1].

Impact

Successful exploitation allows arbitrary OS command execution on the device with root privileges (since the command runs in the context of the device program). This can lead to full compromise of the camera, including data exfiltration, further network attacks, and denial of service. The CVSSv3 score is 9.1 (Critical) with impact on confidentiality, integrity, and availability [1].

Mitigation

As of the publication date (2022-01-28), no patched firmware version has been released by Reolink. Users are advised to restrict network access to the camera's web interface to trusted users only and monitor for any firmware updates from the vendor. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].