CVE-2021-44369

Vulnerability

The vulnerability exists in the JSON command parser of cgiserver.cgi in Reolink RLC-410W firmware version 3.0.0.136_20121102 [1]. The SetNtp parameter is expected to be an object, but the parser does not properly validate the input type. When a non-object value is supplied for SetNtp, the parser mishandles the request, leading to a crash of the cgiserver.cgi process and a subsequent device reboot [1]. This is a CWE-20 Improper Input Validation flaw [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially-crafted HTTP request to the affected camera over the network [1]. No authentication is required, and no user interaction is needed [1]. The attacker simply includes the SetNtp parameter with a value that is not an object (e.g., a string or number) in the JSON body of the request [1]. The request triggers the vulnerable code path, causing the CGI process to terminate and the camera to reboot.

Impact

Successful exploitation results in a denial of service condition. The affected camera will reboot, temporarily losing all functionality until the reboot completes [1]. Repeated attacks could cause persistent interruption of service. The impact is limited to availability (CIA impact: none on confidentiality or integrity) [1].

Mitigation

At the time of publication (2022-01-28), no firmware update has been released by Reolink to address this vulnerability [1]. The vendor has not responded to disclosure attempts [1]. Users are advised to consider network-level segmentation and access controls to limit exposure to untrusted networks. The device is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.