CVE-2021-44371 – A denial-of-service vulnerability in Reolink RL... (How to Fix)

Q: What is the severity of CVE-2021-44371?

CVE-2021-44371 has a CVSS score of 7.7 (HIGH). A denial-of-service vulnerability in Reolink RLC-410W cameras allows attackers to cause device reboots via specially crafted HTTP requests targeting the cgiserver.cgi JSON parser. This affects Reolink RLC-410W camera users running vulnerable firmware versions, potentially disrupting surveillance operations.

📋 TL;DR

A denial-of-service vulnerability in Reolink RLC-410W cameras allows attackers to cause device reboots via specially crafted HTTP requests targeting the cgiserver.cgi JSON parser. This affects Reolink RLC-410W camera users running vulnerable firmware versions, potentially disrupting surveillance operations.

💻 Affected Systems

Products:

Reolink RLC-410W

Versions: v3.0.0.136_20121102 and likely earlier versions

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the vulnerable firmware version are affected regardless of configuration settings.

📦 What is this software?

Rlc 410w Firmware by Reolink

View all CVEs affecting Rlc 410w Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent denial-of-service attacks could render cameras unavailable for extended periods, creating surveillance blind spots and potentially enabling physical security breaches during downtime.

🟠

Likely Case

Temporary camera reboots causing surveillance gaps of 1-2 minutes per attack, disrupting continuous monitoring and potentially missing critical events.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring, allowing quick detection and response to attack attempts.

🌐 Internet-Facing: HIGH - HTTP-based attack requires no authentication and can be executed remotely if cameras are exposed to the internet.

🏢 Internal Only: MEDIUM - Attack requires network access but could still be exploited by compromised internal devices or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is well-documented in public advisories with technical details that could be easily weaponized into automated attack tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Reolink support for latest firmware updates

Vendor Advisory: https://support.reolink.com/hc/en-us/articles/

Restart Required: Yes

Instructions:

1. Log into Reolink client software or web interface. 2. Navigate to Settings > System > Maintenance. 3. Check for firmware updates. 4. Download and install latest firmware. 5. Camera will automatically reboot after update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate cameras on separate VLAN with restricted access to management interfaces

Firewall Restrictions

linux

Block external HTTP access to camera management ports (typically 80, 443)

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to prevent unauthorized HTTP requests to camera management interfaces
Deploy network monitoring to detect and alert on repeated reboot patterns or suspicious HTTP traffic to camera IPs

🔍 How to Verify

Check if Vulnerable:

Check firmware version in camera web interface: Settings > System > Device Information > Firmware Version

Check Version:

curl -s http://[CAMERA_IP]/cgi-bin/api.cgi?cmd=GetDevInfo | grep Firmware

Verify Fix Applied:

Verify firmware version is updated beyond v3.0.0.136_20121102 and test with controlled HTTP request to cgiserver.cgi endpoint

📡 Detection & Monitoring

Log Indicators:

Repeated camera reboot events
HTTP requests to /cgi-bin/cgiserver.cgi with malformed JSON
SetEmail parameter in HTTP logs without proper object structure

Network Indicators:

HTTP POST requests to camera IP on port 80/443 containing SetEmail parameter
Multiple TCP connections to camera followed by device becoming unresponsive

SIEM Query:

source="camera_logs" AND ("reboot" OR "cgiserver.cgi") | stats count by src_ip dest_ip

📊 Metadata

CVE ID: CVE-2021-44371

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-20

Published: January 28, 2022

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421 Exploit,Technical Description,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421 Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44371, you might also want to check these: