CVE-2021-44364
📋 TL;DR
A denial-of-service vulnerability in Reolink RLC-410W cameras allows attackers to cause device reboots by sending specially crafted HTTP requests to the cgiserver.cgi JSON parser. This affects Reolink RLC-410W v3.0.0.136_20121102 firmware users, potentially disrupting camera functionality and surveillance coverage.
💻 Affected Systems
- Reolink RLC-410W
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Persistent denial-of-service attacks could render cameras unusable for extended periods, compromising physical security monitoring and creating surveillance blind spots.
Likely Case
Temporary camera reboots causing surveillance gaps of 1-2 minutes during reboot cycles, potentially missing critical events.
If Mitigated
Minimal impact with proper network segmentation and access controls preventing unauthorized HTTP requests to camera interfaces.
🎯 Exploit Status
Exploitation requires sending a malformed HTTP request with invalid JSON structure for SetWifi parameter; trivial for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Later firmware versions (check Reolink support for specific fixed version)
Vendor Advisory: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421
Restart Required: Yes
Instructions:
1. Log into Reolink camera web interface 2. Navigate to System > Maintenance 3. Check for firmware updates 4. Download and install latest firmware 5. Reboot camera after update
🔧 Temporary Workarounds
Network Segmentation
allIsolate cameras on separate VLAN with restricted access to management interfaces
Access Control Lists
linuxRestrict HTTP access to camera management interfaces to authorized IPs only
iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Place cameras behind firewalls with strict inbound rules blocking all external HTTP access
- Implement network monitoring for repeated reboot patterns or malformed HTTP requests to camera IPs
🔍 How to Verify
Check if Vulnerable:
Check firmware version in camera web interface: System > Device Information > Firmware VersionCheck Version:
curl -s http://camera_ip/cgi-bin/cgiserver.cgi?cmd=getDevInfo | grep FirmwareVerify Fix Applied:
Verify firmware version is newer than v3.0.0.136_20121102 and test with controlled malformed HTTP request to confirm no reboot occurs📡 Detection & Monitoring
Log Indicators:
- Repeated camera reboots in system logs
- HTTP requests with malformed JSON to cgiserver.cgi
Network Indicators:
- HTTP POST requests to /cgi-bin/cgiserver.cgi with invalid JSON structure
- Unusual reboot patterns from camera IPs
SIEM Query:
source="camera_logs" AND ("reboot" OR "cgiserver.cgi") AND status="error"