CVE-2021-44356

Vulnerability

A denial of service vulnerability exists in the JSON command parser functionality of the cgiserver.cgi process in Reolink RLC-410W firmware version v3.0.0.136_20121102. The parser does not properly validate JSON input, allowing a specially-crafted HTTP request to trigger a denial of service condition, rebooting the device. This affects an API intended for administrator use only but the handler lacks proper authentication checks, making the code path reachable without valid credentials [1].

Exploitation

An attacker can exploit this vulnerability by sending a single, specially-crafted HTTP request to the target device's web interface. No authentication is required, and the attack can be performed over the network from the local network segment. The request results in killing the cgiserver.cgi process, which in turn causes the device to reboot [1].

Impact

Successful exploitation leads to a denial of service condition, temporarily disabling the security camera's functionality until it completes its reboot cycle. This impacts availability but does not affect confidentiality or integrity [1]. The device automatically restores normal operation after rebooting, but the disruption could allow events to go unrecorded during the downtime.

Mitigation

As disclosed by the referenced advisory, no fix or updated firmware was available at the time of publication (April 2022). Users should monitor Reolink's support website for firmware updates and consider network-level controls, such as restricting access to the camera's web interface to trusted IP addresses only, while the vendor addresses the issue [1].

Not yet disclosed in the available references.