CVE-2021-44386 – This vulnerability allows remote attackers to c... (How to Fix)

Q: What is the severity of CVE-2021-44386?

CVE-2021-44386 has a CVSS score of 7.7 (HIGH). This vulnerability allows remote attackers to cause a denial of service by sending a specially crafted HTTP request to the Reolink RLC-410W camera's cgiserver.cgi JSON command parser. The attack triggers a device reboot when the SetPtzPatrol parameter is not properly validated as an object. This affects users of Reolink RLC-410W cameras with vulnerable firmware.

📋 TL;DR

This vulnerability allows remote attackers to cause a denial of service by sending a specially crafted HTTP request to the Reolink RLC-410W camera's cgiserver.cgi JSON command parser. The attack triggers a device reboot when the SetPtzPatrol parameter is not properly validated as an object. This affects users of Reolink RLC-410W cameras with vulnerable firmware.

💻 Affected Systems

Products:

Reolink RLC-410W

Versions: v3.0.0.136_20121102

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific firmware version mentioned; other Reolink models may have similar vulnerabilities but are not confirmed.

📦 What is this software?

Rlc 410w Firmware by Reolink

View all CVEs affecting Rlc 410w Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent denial of service attacks could render the camera unavailable for extended periods, disrupting surveillance capabilities.

🟠

Likely Case

Attackers cause temporary camera reboots, creating surveillance gaps and potential system instability.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to isolated camera reboots.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable via HTTP requests, making internet-exposed cameras particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to disrupt surveillance.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The Talos Intelligence report includes technical details that could be used to create exploit code. The vulnerability requires sending a malformed HTTP request to the cgiserver.cgi endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Reolink for updated firmware

Vendor Advisory: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421

Restart Required: Yes

Instructions:

1. Check Reolink support for firmware updates. 2. Download the latest firmware for RLC-410W. 3. Upload firmware via camera web interface. 4. Reboot camera after update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate cameras on separate VLANs with strict firewall rules to limit access to cgiserver.cgi endpoint.

Access Control Lists

all

Implement ACLs to restrict HTTP access to camera management interface from trusted IPs only.

🧯 If You Can't Patch

Place cameras behind a WAF or reverse proxy that filters malformed HTTP requests
Disable remote access features and only allow local network access to cameras

🔍 How to Verify

Check if Vulnerable:

Check camera firmware version via web interface at Settings > System > Firmware Update

Check Version:

curl -s http://[camera-ip]/cgi-bin/cgiserver.cgi?cmd=getSystemInfo | grep version

Verify Fix Applied:

Verify firmware version is newer than v3.0.0.136_20121102 and test with controlled malformed HTTP requests

📡 Detection & Monitoring

Log Indicators:

Multiple HTTP requests to /cgi-bin/cgiserver.cgi with malformed JSON
Unexpected camera reboots in system logs

Network Indicators:

HTTP POST requests to cgiserver.cgi with SetPtzPatrol parameter that's not a valid JSON object

SIEM Query:

source="camera_logs" AND (uri="/cgi-bin/cgiserver.cgi" AND (message="reboot" OR message="crash"))

📊 Metadata

CVE ID: CVE-2021-44386

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-20

Published: January 28, 2022

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421 Exploit,Technical Description,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421 Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44386, you might also want to check these: