CVE-2021-44399 – A denial-of-service vulnerability in Reolink RL... (How to Fix)

Q: What is the severity of CVE-2021-44399?

CVE-2021-44399 has a CVSS score of 7.7 (HIGH). A denial-of-service vulnerability in Reolink RLC-410W cameras allows attackers to cause device reboots by sending specially crafted HTTP requests to the cgiserver.cgi JSON parser. This affects Reolink RLC-410W v3.0.0.136_20121102 cameras exposed to network access.

📋 TL;DR

A denial-of-service vulnerability in Reolink RLC-410W cameras allows attackers to cause device reboots by sending specially crafted HTTP requests to the cgiserver.cgi JSON parser. This affects Reolink RLC-410W v3.0.0.136_20121102 cameras exposed to network access.

💻 Affected Systems

Products:

Reolink RLC-410W

Versions: v3.0.0.136_20121102

Operating Systems: Embedded Linux/RTOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific firmware version mentioned; other Reolink models may have similar vulnerabilities but not confirmed.

📦 What is this software?

Rlc 410w Firmware by Reolink

View all CVEs affecting Rlc 410w Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent device unavailability through repeated reboots, disrupting surveillance coverage and potentially causing physical security gaps.

🟠

Likely Case

Temporary service disruption causing camera downtime and loss of surveillance footage during reboot cycles.

🟢

If Mitigated

Minimal impact if cameras are isolated from untrusted networks and patched promptly.

🌐 Internet-Facing: HIGH - Directly exposed cameras can be rebooted by any internet attacker without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems can exploit this, but requires network access to camera.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires sending HTTP POST request with malformed JSON to cgiserver.cgi endpoint; trivial for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Reolink for updated firmware

Vendor Advisory: https://reolink.com/support/security-advisory/

Restart Required: Yes

Instructions:

1. Log into Reolink camera web interface. 2. Navigate to System > Maintenance > Firmware Upgrade. 3. Download latest firmware from Reolink support site. 4. Upload and apply firmware update. 5. Camera will reboot automatically.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate cameras on separate VLAN or network segment with strict firewall rules.

Access Control Lists

linux

Restrict HTTP access to camera management interface to trusted IP addresses only.

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Place cameras behind firewall with strict inbound rules blocking all external HTTP access
Implement network monitoring to detect repeated reboot attempts or unusual HTTP traffic to camera IPs

🔍 How to Verify

Check if Vulnerable:

Check firmware version in camera web interface under System > Device Information > Firmware Version

Check Version:

curl -s http://CAMERA_IP/cgi-bin/cgiserver.cgi?cmd=GetDevInfo | grep Firmware

Verify Fix Applied:

Verify firmware version is newer than v3.0.0.136_20121102 and test HTTP POST to cgiserver.cgi with malformed JSON no longer causes reboot

📡 Detection & Monitoring

Log Indicators:

Repeated camera reboot events in system logs
HTTP POST requests to /cgi-bin/cgiserver.cgi with malformed JSON

Network Indicators:

HTTP POST requests to camera IP port 80 with Content-Type: application/json and malformed GetPtzPreset parameter
Unusual reboot patterns from camera IP addresses

SIEM Query:

source="camera_logs" AND (event="reboot" OR uri="/cgi-bin/cgiserver.cgi") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2021-44399

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-20

Published: January 28, 2022

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421 Exploit,Technical Description,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1421 Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44399, you might also want to check these: