CVE-2021-44381 in RLC-410W
Summary
by MITRE • 01/29/2022
A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. SetPowerLed param is not object. An attacker can send an HTTP request to trigger this vulnerability.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/02/2022
The vulnerability identified as CVE-2021-44381 affects the reolink RLC-410W security camera device running firmware version v3.0.0.136_20121102. This issue resides within the cgiserver.cgi component which handles JSON command parsing for various device operations. The device's web interface utilizes this CGI script to process administrative commands, making it a critical attack surface for remote exploitation. The vulnerability specifically targets the SetPowerLed parameter handling within the JSON parser, creating a path for unauthorized device disruption through crafted HTTP requests.
The technical flaw manifests as a lack of proper input validation and parameter type checking within the JSON command parser. When an attacker submits an HTTP request containing a malformed SetPowerLed parameter, the system fails to properly validate that this parameter should be an object type. This parsing error results in a critical system crash that ultimately triggers an automatic device reboot. The vulnerability stems from improper error handling and insufficient sanitization of user-supplied data within the CGI script's JSON parsing routine. According to CWE classification, this represents a weakness in input validation and error handling mechanisms that can lead to denial of service conditions.
The operational impact of this vulnerability extends beyond simple service disruption as it provides attackers with a reliable method to remotely reboot the security camera without requiring authentication. This denial of service capability can be particularly damaging in surveillance environments where continuous monitoring is critical for security operations. The automatic reboot cycle can interrupt video recording, disable motion detection alerts, and compromise the overall security infrastructure. Network administrators may experience significant operational challenges as the device repeatedly restarts, potentially creating gaps in security coverage and requiring manual intervention to restore normal operations. The vulnerability aligns with ATT&CK technique T1499.004 which covers network denial of service attacks.
Mitigation strategies should prioritize immediate firmware updates from reolink to address the underlying parsing vulnerability. Network segmentation and access control measures can help limit exposure by restricting direct internet access to the device. Implementing web application firewalls that can detect and block malformed JSON requests targeting the cgiserver.cgi endpoint provides an additional layer of protection. Regular monitoring of device logs for unusual reboot patterns can help identify exploitation attempts. Security teams should also consider disabling unnecessary web interface functionality and implementing strict authentication controls to minimize the attack surface. Organizations should establish procedures for regular firmware updates and vulnerability assessments to prevent similar issues from affecting their security infrastructure.