CVE-2021-44360 – This vulnerability allows remote attackers to c... (How to Fix)

Q: What is the severity of CVE-2021-44360?

CVE-2021-44360 has a CVSS score of 7.7 (HIGH). This vulnerability allows remote attackers to cause a denial of service by sending a specially crafted HTTP request to the Reolink RLC-410W camera's cgiserver.cgi JSON parser. The SetNorm parameter is not properly validated as an object, leading to a system reboot. This affects users of Reolink RLC-410W cameras with vulnerable firmware.

📋 TL;DR

This vulnerability allows remote attackers to cause a denial of service by sending a specially crafted HTTP request to the Reolink RLC-410W camera's cgiserver.cgi JSON parser. The SetNorm parameter is not properly validated as an object, leading to a system reboot. This affects users of Reolink RLC-410W cameras with vulnerable firmware.

💻 Affected Systems

Products:

Reolink RLC-410W

Versions: v3.0.0.136_20121102

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific firmware version mentioned. Other Reolink models or firmware versions may not be vulnerable.

📦 What is this software?

Rlc 410w Firmware by Reolink

View all CVEs affecting Rlc 410w Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent denial of service rendering the camera unavailable, potentially disrupting surveillance operations and requiring physical intervention to restore functionality.

🟠

Likely Case

Temporary camera reboot causing surveillance gaps and requiring manual power cycle if the device enters an unstable state.

🟢

If Mitigated

Minimal impact if cameras are behind firewalls with restricted HTTP access and network segmentation.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable via HTTP requests, making internet-exposed cameras immediately vulnerable to attack.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to the camera's web interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending a malformed HTTP request to the cgiserver.cgi endpoint, which is relatively simple to craft and execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Reolink for updated firmware beyond v3.0.0.136_20121102

Vendor Advisory: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421

Restart Required: Yes

Instructions:

1. Log into Reolink camera web interface. 2. Navigate to System > Maintenance > Firmware Upgrade. 3. Download latest firmware from Reolink support site. 4. Upload and install firmware. 5. Camera will reboot automatically.

🔧 Temporary Workarounds

Network Access Restriction

linux

Block HTTP access to the camera from untrusted networks using firewall rules.

iptables -A INPUT -p tcp --dport 80 -s ! TRUSTED_NETWORK -j DROP
iptables -A INPUT -p tcp --dport 443 -s ! TRUSTED_NETWORK -j DROP

Disable Remote Web Access

all

Turn off remote access features in camera settings to prevent external HTTP requests.

🧯 If You Can't Patch

Segment cameras on isolated VLAN with strict firewall rules limiting HTTP traffic to management stations only.
Implement network monitoring to detect and alert on repeated reboot patterns or malformed HTTP requests to cgiserver.cgi.

🔍 How to Verify

Check if Vulnerable:

Check firmware version in camera web interface under System > Device Information. If version is exactly v3.0.0.136_20121102, device is vulnerable.

Check Version:

curl -s http://CAMERA_IP/cgi-bin/cgiserver.cgi?cmd=getDevInfo | grep -i version

Verify Fix Applied:

After firmware update, verify version has changed from v3.0.0.136_20121102 and test by sending a crafted HTTP request to cgiserver.cgi with invalid SetNorm parameter (in controlled environment).

📡 Detection & Monitoring

Log Indicators:

Repeated camera reboots in system logs
HTTP requests to cgiserver.cgi with malformed JSON parameters
Error messages related to SetNorm parameter parsing

Network Indicators:

HTTP POST/GET requests to /cgi-bin/cgiserver.cgi with unusual parameter structures
Increased reboot-related network traffic patterns

SIEM Query:

source="camera_logs" AND ("reboot" OR "cgiserver.cgi" OR "SetNorm")

📊 Metadata

CVE ID: CVE-2021-44360

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-20

Published: January 28, 2022

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421 Exploit,Technical Description,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421 Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44360, you might also want to check these: