CVE-2021-40411

Vulnerability

An OS command injection vulnerability exists in the Reolink RLC-410W camera firmware version v3.0.0.136_20121102. The SetDdns API endpoint, which configures DDNS settings, does not properly sanitize user-supplied input. Specifically, the domain field (parsed into ddns_data->dns2) is passed unsanitized into a shell command string via the set_dds_config function. This allows an attacker with authenticated access to inject arbitrary OS commands through the domain parameter [1].

Exploitation

An attacker must first obtain valid credentials for the camera's web interface. With authenticated access, they can send a crafted HTTP request to the SetDdns API, providing a malicious domain value containing shell metacharacters (e.g., command separators like ; or backticks). The injection point is in the device program that constructs and executes a shell command using the unsanitized dns2 field. No user interaction is required beyond the authenticated API call [1].

Impact

Successful exploitation allows the attacker to execute arbitrary OS commands on the device with root privileges. This leads to full compromise of the camera, including complete loss of confidentiality, integrity, and availability. The attacker can potentially pivot to internal networks, as the camera may be reachable from the local LAN [1].

Mitigation

As of the publication date (2022-01-28), no firmware update or patch had been released by Reolink for CVE-2021-40411. No workaround is documented. The vulnerable product is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. Users are advised to restrict network access to the camera and apply any future firmware updates promptly [1].