CVE-2021-44387

Vulnerability

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W version 3.0.0.136_20121102 [1]. The vulnerability is triggered when the SetPtzPreset parameter is provided but is not a JSON object. This improper input validation (CWE-20) causes the cgiserver.cgi process to crash, leading to an immediate reboot of the device [1]. No authentication is required to reach the affected code path, as the vulnerable API is exposed without access controls [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially-crafted HTTP request to the camera's web interface [1]. The attacker does not need any authentication or prior network access beyond being able to send HTTP requests to the device. The attack involves providing a non-object value (e.g., a string, number, or array) to the SetPtzPreset parameter in the JSON payload of the request [1]. Upon parsing this malformed input, the cgiserver.cgi process crashes, automatically triggering the device's watchdog to reboot the camera within seconds [1].

Impact

On successful exploitation, the attacker causes the Reolink RLC-410W to reboot, resulting in a temporary denial of service [1]. Video monitoring and recording are interrupted until the device completes its boot cycle. The impact is limited to availability; there is no confidentiality or integrity impact [1]. Repeated attacks can cause persistent downtime.

Mitigation

No patch or fixed version has been released by Reolink as of the publication date of this CVE (2022-01-28) [1]. The only available mitigation is to restrict network access to the camera's web interface using firewall rules or VLAN segmentation, ensuring that only trusted devices can send HTTP requests to the camera [1]. The device is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.