CVE-2021-44354 – This vulnerability allows remote attackers to c... (How to Fix)

Q: What is the severity of CVE-2021-44354?

CVE-2021-44354 has a CVSS score of 7.5 (HIGH). This vulnerability allows remote attackers to cause a denial of service by sending specially crafted HTTP requests to the cgiserver.cgi JSON command parser in Reolink RLC-410W cameras. The attack triggers a device reboot, disrupting surveillance functionality. Affected users are those with vulnerable Reolink RLC-410W cameras exposed to network access.

📋 TL;DR

This vulnerability allows remote attackers to cause a denial of service by sending specially crafted HTTP requests to the cgiserver.cgi JSON command parser in Reolink RLC-410W cameras. The attack triggers a device reboot, disrupting surveillance functionality. Affected users are those with vulnerable Reolink RLC-410W cameras exposed to network access.

💻 Affected Systems

Products:

Reolink RLC-410W

Versions: v3.0.0.136_20121102

Operating Systems: Embedded Linux (camera firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific firmware version mentioned; other Reolink models may have similar vulnerabilities but not confirmed.

📦 What is this software?

Rlc 410w Firmware by Reolink

View all CVEs affecting Rlc 410w Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent attacker could repeatedly reboot the camera, causing extended surveillance downtime and potential physical security gaps.

🟠

Likely Case

Temporary camera reboot causing 1-2 minutes of surveillance footage loss during restart cycle.

🟢

If Mitigated

No impact if camera is behind firewall with no external HTTP access to cgiserver.cgi endpoint.

🌐 Internet-Facing: HIGH - Directly exploitable via HTTP requests without authentication.

🏢 Internal Only: MEDIUM - Requires network access but no authentication, so any internal attacker could exploit.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Talos Intelligence published detailed vulnerability report with proof-of-concept. Exploit requires crafting specific HTTP request to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Reolink for latest firmware updates

Vendor Advisory: https://reolink.com/support/security-advisory/

Restart Required: Yes

Instructions:

1. Log into Reolink camera web interface. 2. Navigate to System > Maintenance > Firmware Upgrade. 3. Download latest firmware from Reolink website. 4. Upload and install firmware. 5. Camera will automatically reboot after update.

🔧 Temporary Workarounds

Network Segmentation

all

Place cameras on isolated VLAN with no internet access and restrict HTTP access to management interfaces only.

Firewall Rules

linux

Block external HTTP access to camera management ports (typically 80, 443, 9000).

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 9000 -j DROP

🧯 If You Can't Patch

Isolate camera network segment completely from internet and other internal networks
Implement strict firewall rules allowing only specific management IPs to access camera HTTP interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version in camera web interface: System > Device Information > Firmware Version. If version is v3.0.0.136_20121102, device is vulnerable.

Check Version:

curl -s http://camera-ip/cgi-bin/cgiserver.cgi?cmd=getSystemInfo | grep FirmwareVersion

Verify Fix Applied:

After firmware update, verify version is newer than v3.0.0.136_20121102. Test by attempting to send crafted HTTP request to cgiserver.cgi endpoint (not recommended in production).

📡 Detection & Monitoring

Log Indicators:

Multiple HTTP POST requests to /cgi-bin/cgiserver.cgi with malformed JSON
Camera reboot logs without normal shutdown sequence
Unusual HTTP error responses from camera web interface

Network Indicators:

HTTP requests to camera IP on port 80/443/9000 with crafted JSON payloads
Multiple TCP connections to camera followed by connection resets

SIEM Query:

source="camera_logs" AND (uri="/cgi-bin/cgiserver.cgi" AND (status=500 OR method="POST")) OR event="reboot"

📊 Metadata

CVE ID: CVE-2021-44354

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Published: April 14, 2022

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44354, you might also want to check these: