CVE-2021-44363

Vulnerability

The vulnerability exists in the JSON command parser functionality of cgiserver.cgi in reolink RLC-410W firmware version v3.0.0.136_20121102. The SetPush parameter is expected to be an object, but input validation is missing. When a non-object value (e.g., a string) is provided, the parser crashes, leading to a denial of service condition. This affects the reboot API which is accessible without authentication [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially-crafted HTTP request to the camera's cgiserver.cgi endpoint. No authentication is required. The attacker crafts the request with the SetPush parameter set to a value that is not an object, such as a string or number. This causes the JSON parser to crash, killing the cgiserver.cgi process and triggering a device reboot [1].

Impact

Successful exploitation results in a denial of service as the camera reboots. This disrupts video monitoring and recording capabilities. There is no impact on confidentiality or integrity; the attack solely affects availability [1].

Mitigation

As of the publication date, no patched firmware version has been released by Reolink. Users are advised to monitor the vendor's official website for updates. Until a fix is available, restrict network access to the camera to trusted hosts only, or disable the vulnerable API if possible [1].