CVE-2021-44404

Vulnerability

The vulnerability resides in the JSON command parser functionality of the cgiserver.cgi binary in reolink RLC-410W firmware version 3.0.0.136_20121102. The GetZoomFocus parameter is expected to be an object but the parser does not validate its type, leading to improper input validation (CWE-20). Affected version is exactly 3.0.0.136_20121102.

Exploitation

An unauthenticated attacker can send a specially-crafted HTTP request to the device's web interface. No authentication is required, and the attacker does not need any prior access. The crafted request triggers the flaw in the JSON command parser, causing the cgiserver.cgi process to crash and subsequently the device to reboot [1].

Impact

Successful exploitation causes a denial of service by rebooting the camera. The attacker gains no further access, but the device becomes unavailable until it completes the reboot cycle. The impact is limited to availability (CIA: availability only), with no confidentiality or integrity compromise. However, an attacker can repeatedly trigger the vulnerability to maintain a persistent denial of service.

Mitigation

As of the publication date (2022-01-28), no fix has been released by reolink. The vendor has not provided a patched firmware version. Users are advised to restrict network access to the camera to trusted hosts only, and to monitor for any firmware updates from reolink. There is no known workaround beyond network segmentation [1].