CVE-2022-21236

Vulnerability

The Reolink RLC-410W camera version 3.0.0.136_20121102 contains a web server misconfiguration where the TLS private key (self.key) is stored inside the nginx document root (/mnt/app/www/). Due to insufficient access control, an attacker can download the private key with a simple HTTP request [1].

Exploitation

An unauthenticated attacker with network access can send an HTTP GET request to http:///self.key to retrieve the private key. No authentication or user interaction is required. The attack vector is network-based (AV:N) with high attack complexity (AC:H) due to the need for precise timing or network position to exploit the decryption aspect, but the initial key download is trivial [1].

Impact

Successful exploitation enables the attacker to impersonate the camera by using the private key to decrypt HTTPS traffic, potentially stealing authentication tokens of logged-in users. This could allow the attacker to gain admin privileges, affecting confidentiality, integrity, and availability of the device (CVSS 8.1) [1].

Mitigation

As of the report date (January 2022), no patched version was available. The vendor was notified but no fix was released. Users should monitor for firmware updates from Reolink. In the interim, restricting network access to the camera and using VPNs may reduce risk, but no official workaround is documented [1].