CVE-2021-44390

Vulnerability

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser of Reolink RLC-410W firmware version v3.0.0.136_20121102. The format parameter is expected to be an object, but a non-object type causes the parser to fail, leading to a crash and subsequent device reboot. No authentication is required to trigger this issue [1].

Exploitation

An attacker can send a specially crafted HTTP request to the camera's CGI interface with a malformed format parameter (e.g., a string instead of an object). The request does not require any prior authentication or network position beyond reachability to the device. The invalid input causes the cgiserver.cgi process to terminate, resulting in an immediate reboot of the camera [1].

Impact

Successful exploitation causes the device to reboot, disrupting its functionality (e.g., video streaming, recording, motion detection) until the reboot completes. The impact is denial of service (availability) with no effect on confidentiality or integrity. The CVSSv3 score is 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) [1].

Mitigation

As of the publication date (2022-01-28), no patch or workaround has been provided by Reolink. The vendor was contacted but did not respond [1]. Users should consider network segmentation or firewall rules to restrict access to the camera's CGI interface from untrusted networks.