CVE-2021-44362

Vulnerability

In Reolink RLC-410W firmware version v3.0.0.136_20121102, the cgiserver.cgi JSON command parser contains a denial of service vulnerability when processing the SetCloudSchedule parameter. If the parameter is not an object as expected, the parser fails, leading to a crash and subsequent reboot of the device. This issue is classified as CWE-20: Improper Input Validation [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request to the camera's web interface. No authentication is required, and no user interaction is needed. The attacker simply crafts a request where the SetCloudSchedule parameter is not a valid object, causing the parser to malfunction.

Impact

Successful exploitation results in a denial of service condition, causing the camera to reboot. This disrupts surveillance functionality and may cause temporary loss of video recording and monitoring. The impact is availability only (no confidentiality or integrity compromise), but given the network-accessible nature and lack of authentication, the severity is high (CVSS 8.6) [1].

Mitigation

As of the publication date of this advisory (2022-01-28), no official firmware update has been released to address this vulnerability. Users should monitor Reolink's support channels for a patched firmware version. As a workaround, restrict network access to the camera's web interface to trusted IP addresses only, or place the camera behind a firewall to limit exposure [1].