CVE-2021-44417

Vulnerability

The vulnerability resides in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W firmware version v3.0.0.136_20121102. A specially-crafted HTTP request that provides an unexpected value for the GetAlarm parameter (specifically, a non-object type) triggers improper input validation (CWE-20). This leads to a crash of the cgiserver.cgi process and subsequently a device reboot. No authentication is required to reach the vulnerable code path [1].

Exploitation

An attacker can send a crafted HTTP request to the target device's CGI interface without any prior authentication or network position requirements (the device is typically accessible over the local network or the internet if exposed). The request must include a malformed GetAlarm parameter, e.g., setting it to a non-object JSON type. The server processes this input, fails validation, and the cgiserver.cgi process terminates, causing the device to reboot [1].

Impact

Successful exploitation results in a denial of service by forcing the device to reboot. The attacker does not gain code execution or data access, but the device becomes unavailable until the reboot completes. The impact is a high availability loss with no confidentiality or integrity compromise. The CVSSv3 score for this issue is 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) [1].

Mitigation

As of the publication date (2022-01-28), no patched firmware version has been disclosed in the available references. Users are advised to restrict network access to the camera (e.g., via firewall rules or VPN) and ensure the device is not exposed to untrusted networks. The vendor should be contacted for a firmware update [1].