CVE-2021-44380

Vulnerability

The SetTime JSON command parser in the cgiserver.cgi component of Reolink RLC-410W firmware version v3.0.0.136_20121102 contains an improper input validation flaw (CWE-20) [1]. When the SetTime parameter is not provided as an object, the parser mishandles the request and crashes the cgiserver.cgi process, causing the device to reboot [1]. No authentication is required to reach this code path [1].

Exploitation

An attacker can exploit this vulnerability by sending a single specially-crafted HTTP request to the camera's CGI interface [1]. The request must include a malformed SetTime parameter that is not an object, such as a string or numeric value, which triggers the parser error. The attacker does not need prior authentication, session cookies, or any local access; only network connectivity to the device is required [1].

Impact

Successful exploitation causes the cgiserver.cgi process to terminate, leading to an immediate reboot of the camera [1]. While this is a denial of service (DoS) condition that disrupts camera functionality until the reboot completes, the attacker does not gain any access to stored data or persistent control over the device. The CVSS score for this vulnerability is 8.6 (High) under CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H, reflecting the high availability impact on a network-accessible service [1].

Mitigation

As of the publication date (2022-01-28), no firmware update has been released by Reolink to address this vulnerability [1]. The affected firmware version v3.0.0.136_20121102 remains the latest tested version, and there is no mention of an EOL or a fixed release in the advisory. Until a patch is available, users can mitigate risk by restricting network access to the camera (e.g., placing it behind a firewall or VPN) and ensuring it is not directly exposed to the Internet [1].