CVE-2021-44415

Vulnerability

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser of the reolink RLC-410W camera firmware version 3.0.0.136_20121102. The ModifyUser parameter is not properly validated when it is provided as a non-object type, leading to a crash of the cgiserver.cgi process and subsequent device reboot. The affected endpoint is accessible without authentication. [1]

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the camera's CGI interface. No authentication is required, and the attack can be launched remotely over the network. The request must contain a malformed ModifyUser parameter that is not a JSON object, triggering the input validation flaw. [1]

Impact

Successful exploitation causes the cgiserver.cgi process to terminate, resulting in an immediate reboot of the device. This leads to a denial of service, interrupting camera functionality and any recordings in progress. The device becomes unavailable until the reboot completes. [1]

Mitigation

As of the publication date (January 2022), no firmware update has been released to address this vulnerability. Users should monitor the vendor's official website for a patched firmware version. Network-level access controls, such as restricting HTTP access to trusted IPs only, can reduce exposure but do not eliminate the risk. [1]