CVE-2021-44381

Vulnerability

The Reolink RLC-410W wireless security camera running firmware version v3.0.0.136_20121102 contains an improper input validation vulnerability in the cgiserver.cgi JSON command parser. Specifically, the SetPowerLed parameter is expected to be an object but can be supplied with a non-object value, causing the process to crash and the device to reboot. This vulnerability is cataloged as CWE-20 (Improper Input Validation) [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the device. No authentication is required, and the request can be sent over the network. The malformed JSON triggers a crash in cgiserver.cgi, leading to an immediate reboot of the camera [1].

Impact

Successful exploitation results in a denial of service (DoS) condition: the device reboots, interrupting surveillance and other camera functions. The impact is limited to availability; no data integrity or confidentiality is compromised [1].

Mitigation

As of the publication date (January 28, 2022), no firmware update has been released to address this vulnerability. Users should monitor Reolink's official support channels for future updates and consider implementing network-level controls, such as restricting access to the camera's web interface, to reduce exposure [1].