CVE-2021-40407 in RLC-410Winfo

Summary

by MITRE • 01/28/2022

An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection. An attacker can send an HTTP request to trigger this vulnerability.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/02/2025

The CVE-2021-40407 vulnerability represents a critical operating system command injection flaw within the Reolink RLC-410W security camera firmware version 3.0.0.136_20121102. This vulnerability specifically targets the device's network settings functionality, particularly the Dynamic Domain Name System (DDNS) implementation where user-provided domain parameters are processed without adequate input validation. The flaw exists in the ddns->domain variable handling within the SetDdns API endpoint, creating a pathway for malicious actors to execute arbitrary operating system commands on the affected device. The vulnerability is particularly concerning as it allows remote code execution through simple HTTP requests, making it accessible to attackers without requiring physical access or specialized privileges.

The technical exploitation of this vulnerability stems from improper input validation mechanisms within the firmware's network configuration handling code. When the SetDdns API receives a domain parameter through HTTP requests, the system fails to properly sanitize or validate the input before incorporating it into system commands. This lack of input sanitization creates a classic command injection vector where attacker-controlled data can be interpreted by the operating system as executable commands rather than simple parameter values. The vulnerability is categorized under CWE-77 according to the Common Weakness Enumeration, which specifically addresses command injection flaws where untrusted data is directly incorporated into operating system commands without proper validation or escaping mechanisms.

The operational impact of CVE-2021-40407 extends beyond simple unauthorized access to encompass full system compromise and potential network infiltration. An attacker who successfully exploits this vulnerability can execute arbitrary commands with the privileges of the web server process, typically running as root or a privileged user on the device. This level of access enables attackers to modify system configurations, install malicious software, exfiltrate recorded video data, or use the compromised camera as a pivot point for further attacks within the local network. The vulnerability affects the device's DDNS functionality, which is commonly used for remote access to security cameras, making it particularly dangerous for users who rely on these features for monitoring their premises. The attack surface is further expanded because the vulnerability can be triggered remotely through standard HTTP communications without requiring authentication, as indicated by the description's mention of sending HTTP requests to trigger the vulnerability.

Security professionals should consider this vulnerability in the context of the MITRE ATT&CK framework, particularly under the T1059.001 technique for command and script injection. The vulnerability also aligns with the broader category of T1566 related to credential harvesting and privilege escalation through compromised network devices. Mitigation strategies should include immediate firmware updates from Reolink to address the input validation flaw, network segmentation to limit access to affected devices, and implementing network monitoring to detect anomalous HTTP traffic patterns. Additionally, organizations should consider disabling unnecessary network services, implementing strong access controls, and regularly auditing device configurations to prevent exploitation of similar vulnerabilities. The vulnerability highlights the critical importance of input validation in embedded systems and underscores the need for security-by-design principles in IoT device development, particularly for security cameras and other network-connected surveillance equipment that often operate with elevated privileges and store sensitive data.

Reservation

09/01/2021

Disclosure

01/28/2022

Moderation

accepted

CPE

ready

EPSS

0.47915

KEV

yes

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!