CVE-2021-44389

Vulnerability

The cgiserver.cgi JSON command parser in Reolink RLC-410W firmware version v3.0.0.136_20121102 does not properly validate the GetAbility parameter when it is not an object. A specially-crafted HTTP POST request can trigger a crash of the cgiserver.cgi process, leading to an immediate device reboot. No authentication is required to exploit this flaw [1].

Exploitation

An unauthenticated attacker with network access to the camera can send a crafted HTTP request containing a malicious JSON payload where the GetAbility parameter is not set to an object. The crash of cgiserver.cgi occurs upon parsing this malformed parameter, causing the device to reboot without any user interaction [1].

Impact

Successful exploitation results in a denial of service (DoS) condition by forcing the camera to reboot, interrupting its video recording and monitoring functions. The CVSS v3.0 base score is 8.6, with a high availability impact; no impact on confidentiality or integrity [1].

Mitigation

As of the publication date (January 28, 2022), no patched firmware version has been released by Reolink for this vulnerability. The affected firmware is v3.0.0.136_20121102. Users may consider restricting network access to the camera or deploying additional firewall rules to block unauthenticated requests to the vulnerable endpoint until a fix becomes available [1].