CVE-2021-40412

Vulnerability

An OS command injection vulnerability exists in the device network settings functionality of Reolink RLC-410W firmware version v3.0.0.136_20121102. The SetDevName API takes a name parameter that is assigned to the devname variable without proper validation. This unvalidated input is later used in OS commands, allowing injection of arbitrary commands [1].

Exploitation

An attacker with high privileges (administrative access) can send a specially crafted HTTP request to the SetDevName API. The name parameter can contain malicious command sequences such as command separators or substitution operators. Since the input is not sanitized, the injected commands are executed in the context of the device's OS [1].

Impact

Successful exploitation allows arbitrary OS command execution on the device, leading to full compromise of confidentiality, integrity, and availability (CIA). The attacker can gain complete control over the camera, potentially exfiltrate video feeds, modify settings, or use the device as a pivot point [1].

Mitigation

As of the publication date of this CVE, no official patched firmware version has been released. Users should monitor the vendor's official channels for updates. Restricting network access to the device's management interface to trusted hosts only can reduce the attack surface. The device should not be exposed directly to the internet [1].