CVE-2021-44394 – This vulnerability allows remote attackers to c... (How to Fix)

Q: What is the severity of CVE-2021-44394?

CVE-2021-44394 has a CVSS score of 7.5 (HIGH). This vulnerability allows remote attackers to cause denial of service by sending specially crafted HTTP requests to the cgiserver.cgi JSON command parser in Reolink RLC-410W cameras. Successful exploitation causes the device to reboot, disrupting camera functionality. Users of affected Reolink RLC-410W cameras with vulnerable firmware are impacted.

📋 TL;DR

This vulnerability allows remote attackers to cause denial of service by sending specially crafted HTTP requests to the cgiserver.cgi JSON command parser in Reolink RLC-410W cameras. Successful exploitation causes the device to reboot, disrupting camera functionality. Users of affected Reolink RLC-410W cameras with vulnerable firmware are impacted.

💻 Affected Systems

Products:

Reolink RLC-410W

Versions: v3.0.0.136_20121102

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web interface/HTTP service of the camera. No special configuration required for exploitation.

📦 What is this software?

Rlc 410w Firmware by Reolink

View all CVEs affecting Rlc 410w Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent denial of service attacks could render cameras unusable for extended periods, disrupting security monitoring and recording capabilities.

🟠

Likely Case

Temporary camera reboots causing gaps in surveillance footage and loss of real-time monitoring during reboot cycles.

🟢

If Mitigated

Minimal impact with proper network segmentation and access controls preventing unauthorized HTTP requests to the camera interface.

🌐 Internet-Facing: HIGH - Directly exposed cameras can be attacked remotely without authentication via HTTP requests.

🏢 Internal Only: MEDIUM - Requires network access but still exploitable by internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malformed JSON via HTTP POST to the vulnerable endpoint. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.0.0.148_21021106 or later

Vendor Advisory: https://support.reolink.com/hc/en-us/articles/4412336141079

Restart Required: Yes

Instructions:

1. Log into Reolink web interface. 2. Navigate to System > Maintenance. 3. Check for firmware updates. 4. Download and install latest firmware. 5. Camera will automatically reboot after update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate cameras on separate VLAN with restricted access to prevent unauthorized HTTP requests.

Firewall Rules

all

Block external HTTP access to camera management interface while allowing necessary camera traffic.

🧯 If You Can't Patch

Implement strict network access controls to limit HTTP access to camera management interface
Monitor for unusual HTTP requests to cgiserver.cgi endpoint and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check firmware version in camera web interface under System > Device Information. If version is v3.0.0.136_20121102 or earlier, device is vulnerable.

Check Version:

curl -s http://[camera-ip]/cgi-bin/system.cgi?cmd=getDevInfo | grep -i firmware

Verify Fix Applied:

Verify firmware version is v3.0.0.148_21021106 or later after update. Test by attempting to send malformed JSON to cgiserver.cgi endpoint (should not cause reboot).

📡 Detection & Monitoring

Log Indicators:

Multiple HTTP POST requests to /cgi-bin/cgiserver.cgi with malformed JSON
Unexpected camera reboot events in system logs

Network Indicators:

HTTP POST requests to cgiserver.cgi with unusual JSON payloads
Increased HTTP error responses from camera

SIEM Query:

source="camera-logs" AND (uri="/cgi-bin/cgiserver.cgi" AND (status=500 OR method="POST"))

📊 Metadata

CVE ID: CVE-2021-44394

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Published: April 14, 2022

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44394, you might also want to check these: