CVE-2021-40416

Vulnerability

The vulnerability resides in the cgi_check_ability function of cgiserver.cgi on Reolink RLC-410W firmware version v3.0.0.136_20121102. The function incorrectly handles permission checks for API commands, allowing any logged-in user to execute APIs that are not explicitly listed in the permission table (i.e., all Get APIs not included in the cgi_check_ability logic). This stems from an improper default access control (CWE-284) where the permission check defaults to granting access when the API is not found in the internal command table [1].

Exploitation

An attacker needs network access to the camera and valid login credentials (low-privileged user account). Once authenticated, the attacker can send specially crafted HTTP requests to any Get API that is not subject to the cgi_check_ability permission check. The advisory notes that all Get APIs not included in cgi_check_ability are already executable by any logged-in users, making exploitation straightforward with just an HTTP request [1].

Impact

Successful exploitation allows the attacker to trigger unintended API calls, leading to denial of service (as per CVSS score 7.1, with high availability impact). The confidentiality impact is none, and integrity impact is low, meaning the attacker can disrupt device operation but cannot access sensitive data or modify critical settings without additional vulnerabilities [1].

Mitigation

As of the publication date, no firmware update or patch has been released by Reolink to address this vulnerability. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Affected users should monitor vendor advisories for a future fix and consider restricting network access to the camera until a patch is available [1].