CVE-2021-44382 in RLC-410Winfo

Summary

by MITRE • 01/29/2022

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot.SetIrLights param is not object. An attacker can send an HTTP request to trigger this vulnerability.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 02/02/2022

The vulnerability identified as CVE-2021-44382 represents a denial of service condition within the cgiserver.cgi component of reolink RLC-410W firmware version v3.0.0.136_20121102. This issue manifests through the JSON command parser functionality that processes HTTP requests directed to the device's web interface. The flaw occurs when the system attempts to parse a malformed JSON payload containing the SetIrLights parameter, which is expected to be an object but is instead received as a non-object value. This parsing error triggers an unexpected system behavior that ultimately results in device reboot. The vulnerability stems from insufficient input validation and error handling within the JSON parsing routine, creating a condition where malformed data can cause the application to crash and restart.

The technical execution of this vulnerability requires an attacker to craft a specific HTTP request containing malformed JSON data with the SetIrLights parameter. This parameter should typically be structured as a JSON object but when sent as a non-object value such as a string or number, the parser fails to handle the unexpected data type gracefully. The lack of proper type checking and validation allows the system to proceed with processing invalid data, leading to an unhandled exception that causes the device to reboot. This behavior aligns with CWE-248, which addresses "Uncaught Exception" conditions in software systems, where improper exception handling leads to system instability and denial of service.

From an operational standpoint, this vulnerability presents a significant security risk as it allows remote attackers to perform denial of service attacks against the affected surveillance device without requiring authentication. The impact extends beyond simple service disruption since the device reboot can interrupt continuous video monitoring operations, potentially leaving the monitored area unprotected during the restart period. The vulnerability affects the availability aspect of the security triad, as legitimate users cannot access the device's services during the reboot cycle. Additionally, repeated exploitation can cause device instability and may contribute to hardware degradation over time, particularly if the device is frequently targeted by such attacks.

Organizations should implement immediate mitigations including network segmentation to limit access to affected devices, deployment of network intrusion detection systems to monitor for suspicious HTTP requests targeting the cgiserver.cgi endpoint, and firmware updates from the vendor when available. The ATT&CK framework categorizes this vulnerability under T1499.004, which covers "Endpoint Denial of Service" techniques, as it specifically targets the availability of networked endpoint devices. Network administrators should also consider implementing rate limiting and request validation mechanisms to prevent exploitation, while security teams should monitor for potential exploitation attempts and maintain detailed logs of HTTP traffic for forensic analysis. The vulnerability underscores the importance of proper input validation and error handling in web applications, particularly those serving security-critical functions such as surveillance equipment.

Reservation

11/29/2021

Disclosure

01/29/2022

Moderation

accepted

CPE

ready

EPSS

0.01145

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!