CVE-2021-44419

Vulnerability

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W firmware version v3.0.0.136_20121102. The GetMdAlarm parameter is improperly validated when it is expected to be an object but receives a non-object type. This flaw allows a specially-crafted HTTP request to crash the cgiserver.cgi process, leading to a reboot of the device. [1]

Exploitation

An attacker can exploit this vulnerability remotely over the network without requiring any authentication or user interaction. The attack only requires sending a single HTTP request with a malformed GetMdAlarm parameter that is not an object. Because the vulnerable API is exposed without authentication, the attack can be launched from any network position that can reach the target device. [1]

Impact

Successful exploitation causes the camera to crash and reboot, resulting in a denial of service. The impact is limited to availability, with no effect on confidentiality or integrity. The reboot may cause temporary disruption of surveillance capabilities until the device comes back online. [1]

Mitigation

As of the publication date of this vulnerability (2022-01-28), no firmware update addressing this issue has been released by Reolink. Users should monitor vendor advisories and apply patches when available. In the meantime, restricting network access to the camera's web interface (port 80/443) to trusted IPs only can reduce the attack surface. The device is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the last update. [1]