CVE-2021-44371

Vulnerability

The vulnerability resides in the JSON command parser of the cgiserver.cgi component on Reolink RLC-410W cameras running firmware version v3.0.0.136_20121102. Specifically, when parsing the SetEmail parameter, the parser does not validate that the parameter is an object, leading to improper input validation (CWE-20) [1]. This allows an unauthenticated attacker to cause a denial of service.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the camera's web server. No authentication is required. The request must include a malformed SetEmail parameter that is not an object, triggering the parser to crash the cgiserver.cgi process and resulting in a reboot of the device [1].

Impact

Successful exploitation causes the device to reboot, temporarily disrupting surveillance functions. The impact is a denial of service (CIA: availability) with high severity (CVSSv3 8.6) and no impact on confidentiality or integrity [1].

Mitigation

As of the publication date (2022-01-28), no fix was available from Reolink. Users should monitor for firmware updates that address this vulnerability. The device may be listed in vendor advisories; however, the Talos report indicates a large number of similar CVEs [1].