CVE-2021-44402

Vulnerability

A denial-of-service vulnerability exists in the JSON command parser functionality of cgiserver.cgi in Reolink RLC-410W firmware version v3.0.0.136_20121102. The bug is an improper input validation (CWE-20) where the GetPtzSerial parameter is expected to be an object but a specially-crafted HTTP request can supply a non-object value, leading to a crash of the cgiserver.cgi process and a subsequent device reboot. The vulnerability is reachable without any authentication, as the parser does not properly verify the type of the JSON parameter [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a single HTTP request to the camera's web server. The request must include a JSON payload where the GetPtzSerial parameter is set to a value that is not an object (e.g., a string, number, or null). The cgiserver.cgi parser fails to validate the data type, causing an unhandled exception that kills the process and triggers an automatic reboot of the device. No special network position or user interaction is required; the attacker only needs network access to the camera's management interface [1].

Impact

Successful exploitation results in a denial of service (DoS) condition: the Reolink RLC-410W camera reboots and becomes temporarily unavailable for video streaming, recording, and configuration. The impact is limited to availability (CIA: availability only). An attacker cannot gain code execution, access sensitive data, or persist on the device. The reboot may cause brief interruption of surveillance functions [1].

Mitigation

As of the publication date (2022-01-28), no firmware update has been released to address this vulnerability. Reolink RLC-410W users are advised to restrict network access to the camera's management interface (e.g., via firewall rules or VLAN segmentation) to reduce exposure. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Users should monitor Reolink's support page for future firmware patches [1].