CVE-2021-40412 – This CVE describes an OS command injection vuln... (How to Fix)

Q: What is the severity of CVE-2021-40412?

CVE-2021-40412 has a CVSS score of 7.2 (HIGH). This CVE describes an OS command injection vulnerability in Reolink RLC-410W cameras where an attacker can execute arbitrary commands by manipulating the device name parameter. Attackers with network access to the camera's management interface can potentially gain full system control. This affects Reolink RLC-410W cameras running vulnerable firmware.

📋 TL;DR

This CVE describes an OS command injection vulnerability in Reolink RLC-410W cameras where an attacker can execute arbitrary commands by manipulating the device name parameter. Attackers with network access to the camera's management interface can potentially gain full system control. This affects Reolink RLC-410W cameras running vulnerable firmware.

💻 Affected Systems

Products:

Reolink RLC-410W

Versions: v3.0.0.136_20121102 and likely earlier versions

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface API endpoint. Requires network access to the camera's management interface.

📦 What is this software?

Rlc 410w Firmware by Reolink

View all CVEs affecting Rlc 410w Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent backdoor installation, credential theft, lateral movement to other network devices, and use in botnets or ransomware attacks.

🟠

Likely Case

Remote code execution leading to camera compromise, surveillance disruption, credential harvesting, and device repurposing for attacks on internal networks.

🟢

If Mitigated

Limited to authenticated users only with proper input validation and network segmentation in place.

🌐 Internet-Facing: HIGH - These cameras are often exposed to the internet for remote access, making them prime targets for automated exploitation.

🏢 Internal Only: MEDIUM - Still significant risk if attackers gain internal network access through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication to the camera's web interface. The vulnerability is in the SetDevName API endpoint at parameter [8].

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Reolink for latest firmware updates

Vendor Advisory: https://support.reolink.com/hc/en-us/articles/

Restart Required: Yes

Instructions:

1. Log into Reolink web interface. 2. Navigate to System > Maintenance. 3. Check for firmware updates. 4. Download and install latest firmware. 5. Reboot camera after update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate cameras on separate VLAN without internet access

Access Control

linux

Restrict management interface access to specific IP addresses only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Disable remote access and only allow local network management
Implement strict firewall rules blocking all inbound traffic except from management stations

🔍 How to Verify

Check if Vulnerable:

Check firmware version in web interface: System > System Information > Firmware Version

Check Version:

curl -s http://camera-ip/cgi-bin/api.cgi?cmd=GetDevInfo | grep Firmware

Verify Fix Applied:

Verify firmware version is newer than v3.0.0.136_20121102 and test SetDevName API with malicious input

📡 Detection & Monitoring

Log Indicators:

Unusual device name changes
Suspicious command execution in system logs
Multiple failed authentication attempts

Network Indicators:

Unusual outbound connections from camera
Traffic to known malicious IPs
Unexpected port scans originating from camera

SIEM Query:

source="camera-logs" AND ("SetDevName" OR "devname") AND command="*;*" OR command="*|*" OR command="*`*"

📊 Metadata

CVE ID: CVE-2021-40412

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: January 28, 2022

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1424 Exploit,Technical Description,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1424 Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40412, you might also want to check these: