CVE-2021-44396

Vulnerability

The vulnerability exists in the cgiserver.cgi JSON command parser functionality of the Reolink RLC-410W wireless IP camera, specifically version v3.0.0.136_20121102 [1]. The parser does not properly validate that the Preview parameter is an object. By sending an HTTP request where the Preview field is not an object (e.g., a primitive value), the parser encounters an unhandled condition that leads to a process crash and subsequent device reboot [1]. This is classified as an Improper Input Validation (CWE-20) issue [1].

Exploitation

An attacker requires network access to the camera's web interface. No authentication is needed [1]. The attacker crafts an HTTP request to the vulnerable endpoint, setting the Preview JSON parameter to a non-object type (such as a string, integer, or array). Sending this specially-crafted request triggers the vulnerable code path, causing cgiserver.cgi to terminate unexpectedly, which in turn reboots the camera [1].

Impact

Successful exploitation results in a denial of service (reboot) of the affected Reolink RLC-410W camera. The camera becomes unavailable until the reboot completes, disrupting surveillance and recording functionalities [1]. The impact is on availability only; there is no risk to confidentiality or integrity from this specific vulnerability [1].

Mitigation

As of the publication date (2022-01-28), the vendor has not released a firmware update addressing this vulnerability [1]. No workaround is documented in the references [1]. Users should monitor the vendor's support channels for an updated firmware version. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of publication [1].