CVE-2021-44376 – This vulnerability allows remote attackers to c... (How to Fix)

Q: What is the severity of CVE-2021-44376?

CVE-2021-44376 has a CVSS score of 7.7 (HIGH). This vulnerability allows remote attackers to cause a denial of service by sending a specially crafted HTTP request to the cgiserver.cgi JSON command parser in affected Reolink cameras. The malformed SetIsp parameter triggers a reboot, disrupting camera functionality. Users of Reolink RLC-410W cameras with vulnerable firmware are affected.

📋 TL;DR

This vulnerability allows remote attackers to cause a denial of service by sending a specially crafted HTTP request to the cgiserver.cgi JSON command parser in affected Reolink cameras. The malformed SetIsp parameter triggers a reboot, disrupting camera functionality. Users of Reolink RLC-410W cameras with vulnerable firmware are affected.

💻 Affected Systems

Products:

Reolink RLC-410W

Versions: v3.0.0.136_20121102

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects specific firmware version; other Reolink models may have similar vulnerabilities but not confirmed.

📦 What is this software?

Rlc 410w Firmware by Reolink

View all CVEs affecting Rlc 410w Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent denial of service attacks could render cameras unusable for extended periods, disrupting surveillance coverage and potentially masking other malicious activities.

🟠

Likely Case

Attackers cause temporary camera reboots, creating surveillance gaps of several minutes during restart cycles.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to internal network disruption only.

🌐 Internet-Facing: HIGH - HTTP-based attack requires no authentication and can be executed remotely if cameras are exposed to internet.

🏢 Internal Only: MEDIUM - Attack requires network access but no credentials, posing risk from compromised internal devices.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request with malformed JSON parameter; Talos Intelligence published detailed technical analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later firmware versions (check Reolink support for specific fixed version)

Vendor Advisory: https://support.reolink.com/hc/en-us/articles/

Restart Required: Yes

Instructions:

1. Log into Reolink client software or web interface. 2. Navigate to Settings > System > Maintenance. 3. Check for firmware updates. 4. Download and install latest firmware. 5. Camera will reboot automatically.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate cameras on separate VLAN with restricted access to management interfaces.

Firewall Rules

linux

Block external HTTP access to camera management ports (typically 80, 443, 9000).

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 9000 -j DROP

🧯 If You Can't Patch

Place cameras behind firewall with strict inbound rules blocking all external HTTP/HTTPS access
Implement network monitoring for repeated reboot patterns or malformed HTTP requests to cgiserver.cgi

🔍 How to Verify

Check if Vulnerable:

Check firmware version in camera web interface: Settings > System > Device Information > Firmware Version

Check Version:

curl -s http://[CAMERA_IP]/cgi-bin/api.cgi?cmd=GetDevInfo | grep -i firmware

Verify Fix Applied:

Confirm firmware version is newer than v3.0.0.136_20121102 and test with controlled malformed HTTP request to cgiserver.cgi endpoint

📡 Detection & Monitoring

Log Indicators:

Repeated camera reboot events
HTTP 400/500 errors to cgiserver.cgi with malformed JSON

Network Indicators:

HTTP POST requests to /cgi-bin/cgiserver.cgi with malformed SetIsp parameter
Unusual reboot patterns from camera IPs

SIEM Query:

source="camera_logs" AND ("reboot" OR "cgiserver.cgi" AND "400")

📊 Metadata

CVE ID: CVE-2021-44376

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-20

Published: January 28, 2022

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421 Exploit,Technical Description,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421 Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44376, you might also want to check these: