CVE-2021-44407

Vulnerability

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser of Reolink RLC-410W firmware version v3.0.0.136_20121102 [1]. The TestEmail parameter is expected to be an object, but the parser does not validate its type, causing a crash when a non-object value is supplied. An attacker can trigger this by sending a specially crafted HTTP request to an unauthenticated API endpoint, leading to a reboot. Affected device: Reolink RLC-410W running firmware v3.0.0.136_20121102 [1].

Exploitation

An unauthenticated attacker with network access to the device can send an HTTP request to the vulnerable API endpoint, providing a value for TestEmail that is not an object (e.g., a string or integer) [1]. No authentication or user interaction is required. The request causes the cgiserver.cgi process to crash, which results in an immediate reboot of the device [1].

Impact

Successful exploitation leads to a denial of service condition, rebooting the camera and interrupting its operation. The device becomes unavailable until the reboot completes. This is a high-impact availability issue (CWE-20: Improper Input Validation) [1].

Mitigation

As of the publication date (January 28, 2022) and the Talos advisory [1], the vulnerability affects firmware v3.0.0.136_20121102 and no patched version has been announced. Users are advised to monitor the vendor for firmware updates and restrict network access to the device to trusted networks only. No workaround is available.