CVE-2021-44406

Vulnerability

The vulnerability exists in the cgiserver.cgi JSON command parser of reolink RLC-410W firmware v3.0.0.136_20121102. When processing the GetAutoFocus parameter, the parser fails to validate that the parameter is an object, leading to a denial of service condition. An attacker can exploit this by sending a specially-crafted HTTP request to the device's CGI interface [1].

Exploitation

An attacker can trigger this vulnerability without authentication by sending an HTTP request to the CGI endpoint with a malformed JSON payload where the GetAutoFocus parameter is not an object. This causes the cgiserver.cgi process to crash, resulting in a device reboot. No user interaction or privileged access is required, and the attack can be performed over the network [1].

Impact

Successful exploitation leads to a denial of service, causing the device to reboot. This disrupts camera functionality temporarily, resulting in loss of surveillance coverage until the device restarts. The CIA impact is primarily on availability (high), with no impact on confidentiality or integrity [1].

Mitigation

Reolink has not released a firmware update to address this vulnerability as of the publication date. Users should monitor the vendor's advisory page for updates. No known workarounds are available. The device is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].