CVE-2021-44360 in RLC-410Winfo

Summary

by MITRE • 01/29/2022

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. SetNorm param is not object. An attacker can send an HTTP request to trigger this vulnerability.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/02/2022

The vulnerability identified as CVE-2021-44360 represents a critical denial of service weakness within the reolink RLC-410W security camera firmware version 3.0.0.136_20121102. This issue manifests in the cgiserver.cgi component which processes JSON command requests, specifically targeting the SetNorm parameter handling mechanism. The flaw stems from inadequate input validation and improper error handling within the JSON parser functionality that governs how the device processes administrative commands. Attackers can exploit this vulnerability by crafting malicious HTTP requests that manipulate the SetNorm parameter in ways that the system cannot properly interpret or handle.

The technical nature of this vulnerability aligns with CWE-20, which describes improper input validation, and CWE-400, which covers unchecked resource consumption. The device's JSON command parser fails to properly validate that the SetNorm parameter is structured as a valid object before attempting to process it, creating a condition where malformed input can cause the system to enter an unstable state. When the parser encounters unexpected data structure formats for this parameter, it triggers an unhandled exception that results in the device automatically rebooting. This behavior effectively creates a persistent denial of service condition that can be repeatedly triggered by an attacker without requiring authentication or specialized access privileges.

The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise the security posture of networked surveillance systems. A remote attacker capable of sending HTTP requests to the affected device can repeatedly cause reboots, disrupting video surveillance operations and potentially creating windows of opportunity for more sophisticated attacks. The vulnerability's accessibility means that even unauthenticated attackers can exploit it, making it particularly dangerous in environments where security cameras are deployed without proper network segmentation or access controls. The device's automatic reboot behavior also prevents operators from diagnosing or recovering from the condition manually, forcing complete system downtime until the attacker ceases their malicious activity.

Mitigation strategies for this vulnerability should focus on immediate firmware updates from reolink to address the underlying parsing logic flaws and implement proper input validation mechanisms. Network administrators should consider implementing firewall rules to restrict access to the device's HTTP management interfaces, particularly if the cameras are deployed in untrusted network segments. The implementation of intrusion detection systems that monitor for anomalous HTTP request patterns targeting the cgiserver.cgi endpoint can provide early warning of exploitation attempts. Additionally, organizations should establish regular firmware update procedures to ensure all networked devices receive security patches promptly. From an ATT&CK framework perspective, this vulnerability maps to technique T1499.004 for network denial of service and T1566.001 for spearphishing via web applications, emphasizing the need for comprehensive network security controls beyond just patch management to protect against such exploitation vectors.

Reservation

11/29/2021

Disclosure

01/29/2022

Moderation

accepted

CPE

ready

EPSS

0.01145

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!