CVE-2021-44378 – A denial-of-service vulnerability in Reolink RL... (How to Fix)

Q: What is the severity of CVE-2021-44378?

CVE-2021-44378 has a CVSS score of 7.7 (HIGH). A denial-of-service vulnerability in Reolink RLC-410W cameras allows attackers to cause device reboots via specially crafted HTTP requests to the cgiserver.cgi JSON parser. This affects Reolink RLC-410W v3.0.0.136_20121102 firmware users, potentially disrupting surveillance operations.

📋 TL;DR

A denial-of-service vulnerability in Reolink RLC-410W cameras allows attackers to cause device reboots via specially crafted HTTP requests to the cgiserver.cgi JSON parser. This affects Reolink RLC-410W v3.0.0.136_20121102 firmware users, potentially disrupting surveillance operations.

💻 Affected Systems

Products:

Reolink RLC-410W

Versions: v3.0.0.136_20121102

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects cameras with web interface enabled. May affect other Reolink models with similar firmware but only RLC-410W confirmed.

📦 What is this software?

Rlc 410w Firmware by Reolink

View all CVEs affecting Rlc 410w Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent device reboots causing extended surveillance downtime, potentially enabling physical security breaches during camera unavailability.

🟠

Likely Case

Temporary camera reboots disrupting surveillance feeds for several minutes, causing gaps in monitoring coverage.

🟢

If Mitigated

Minimal impact with proper network segmentation and access controls preventing external exploitation.

🌐 Internet-Facing: HIGH - Directly exposed cameras can be easily rebooted by any internet-based attacker with simple HTTP requests.

🏢 Internal Only: MEDIUM - Internal attackers or malware could still exploit this, but requires network access to camera management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP POST request with malformed JSON to cgiserver.cgi endpoint triggers reboot. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later than v3.0.0.136_20121102

Vendor Advisory: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421

Restart Required: Yes

Instructions:

1. Log into Reolink web interface. 2. Navigate to System > Maintenance > Firmware Upgrade. 3. Download latest firmware from Reolink support site. 4. Upload and install firmware update. 5. Camera will reboot automatically.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate cameras on separate VLAN without internet access

Access Control Lists

linux

Restrict HTTP access to camera management interface to trusted IPs only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Place cameras behind firewall with strict inbound rules blocking all external access to web interface
Disable remote web interface access and use only local network or Reolink app with updated authentication

🔍 How to Verify

Check if Vulnerable:

Check firmware version in web interface: System > Device Information > Firmware Version

Check Version:

curl -s http://CAMERA_IP/cgi-bin/api.cgi?cmd=GetDevInfo | grep Firmware

Verify Fix Applied:

Verify firmware version is newer than v3.0.0.136_20121102 and test HTTP POST to cgiserver.cgi no longer causes reboot

📡 Detection & Monitoring

Log Indicators:

Multiple reboot events in system logs
HTTP POST requests to /cgi-bin/cgiserver.cgi with malformed JSON

Network Indicators:

HTTP POST to camera IP port 80 with Content-Type: application/json and malformed SetEnc parameter

SIEM Query:

source="camera_logs" AND (event="reboot" OR uri="/cgi-bin/cgiserver.cgi")

📊 Metadata

CVE ID: CVE-2021-44378

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-20

Published: January 28, 2022

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421 Exploit,Technical Description,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421 Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44378, you might also want to check these: