CVE-2021-40413

Vulnerability

The Reolink RLC-410W WiFi security camera running firmware version v3.0.0.136_20121102 contains an incorrect default permission vulnerability in the cgiserver.cgi cgi_check_ability function [1]. The permission system uses a numeric value with three bits: bit 2 (value 4) for Get APIs, bit 1 (value 2) for Set APIs, and bit 0 (value 1) for critical APIs such as UpgradePrepare, Upgrade, Reboot, and Shutdown. Due to an error in the default permission assignment, unprivileged users are able to execute APIs that require bit 0 set, including UpgradePrepare which checks if a provided filename identifies a new firmware version [1].

Exploitation

An attacker with network access to the camera and valid low-privilege user credentials can exploit this vulnerability. The attacker sends a specially-crafted HTTP request to the UpgradePrepare API (or other critical APIs) with a crafted filename [1]. The cgi_check_ability function incorrectly permits the request, allowing the attacker to invoke the API despite lacking the required privilege level [1].

Impact

Successful exploitation allows an unprivileged attacker to call privileged APIs that should be restricted to administrator-level users. This can lead to denial of service (e.g., via Reboot or Shutdown APIs) or potentially prepare the device for an unauthorized firmware upgrade via UpgradePrepare [1]. The CVSSv3 score is 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H), indicating high availability impact and low integrity impact [1].

Mitigation

As of the publication date (2022-01-28), no firmware update has been released to address this vulnerability [1]. Users should restrict network access to the camera to trusted networks only, use strong passwords for all user accounts, and monitor for suspicious activity. The camera is not listed in the CISA Known Exploited Vulnerabilities catalog. If a firmware update becomes available, it should be applied promptly.