CVE-2021-44385 in RLC-410W
Summary
by MITRE • 01/29/2022
A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. SetPtzSerial param is not object. An attacker can send an HTTP request to trigger this vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/02/2022
This vulnerability resides in the cgiserver.cgi component of reolink RLC-410W firmware version 3.0.0.136_20121102, specifically within the JSON command parser functionality that handles PTZ (Pan-Tilt-Zoom) control commands. The flaw manifests when processing the SetPtzSerial parameter, which is expected to be a properly formatted JSON object but can be manipulated to exploit the parser's handling of malformed input. This represents a classic input validation issue that falls under CWE-20, which encompasses improper input validation vulnerabilities. The vulnerability allows an attacker to craft specially-crafted HTTP requests that bypass normal command parsing mechanisms and directly trigger a system reboot through improper handling of the parameter structure.
The technical execution of this vulnerability involves sending an HTTP request containing a malformed SetPtzSerial parameter that does not conform to the expected JSON object format. When the cgiserver.cgi component attempts to parse this parameter, the parser fails to properly validate or sanitize the input, leading to a buffer overflow or stack corruption scenario that ultimately results in system reboot. This type of vulnerability is particularly concerning as it represents a denial of service condition that can be triggered remotely without authentication requirements, making it accessible to any attacker who can reach the device's HTTP interface. The vulnerability demonstrates poor error handling and memory management practices that align with ATT&CK technique T1499.004, which involves network disruption through service availability attacks.
The operational impact of this vulnerability extends beyond simple service disruption as it can be leveraged to create persistent denial of service conditions that may interfere with security monitoring and surveillance operations. In environments where these devices are used for critical security applications, such as perimeter monitoring or access control, an attacker could repeatedly trigger reboots to maintain persistent disruption of security services. The vulnerability affects devices running firmware version 3.0.0.136_20121102, making it particularly concerning for organizations that have not yet updated their device firmware. The lack of authentication requirements for exploitation means that this vulnerability can be leveraged by attackers from outside the network perimeter, potentially allowing for large-scale disruption of surveillance systems across multiple locations.
Mitigation strategies should prioritize immediate firmware updates from reolink to address the underlying parser implementation flaws and input validation issues. Network segmentation and access control measures should be implemented to restrict HTTP access to these devices, particularly in environments where such access is not strictly required. Monitoring network traffic for unusual HTTP request patterns targeting the cgiserver.cgi endpoint can help detect exploitation attempts. Additionally, implementing intrusion detection systems with signature-based detection for known malicious request patterns targeting this specific vulnerability can provide early warning of exploitation attempts. Organizations should also consider disabling unnecessary HTTP services and implementing proper input sanitization at the network perimeter to prevent exploitation attempts from reaching the vulnerable device components.