CVE-2022-21217 – CVE-2022-21217 is a critical out-of-bounds writ... (How to Fix)

Q: What is the severity of CVE-2022-21217?

CVE-2022-21217 has a CVSS score of 9.8 (CRITICAL). CVE-2022-21217 is a critical out-of-bounds write vulnerability in Reolink RLC-410W IP cameras that allows remote attackers to execute arbitrary code by sending specially crafted HTTP requests to the TestEmail functionality. This affects organizations and individuals using vulnerable Reolink camera models exposed to network access. Successful exploitation could lead to complete device compromise.

📋 TL;DR

CVE-2022-21217 is a critical out-of-bounds write vulnerability in Reolink RLC-410W IP cameras that allows remote attackers to execute arbitrary code by sending specially crafted HTTP requests to the TestEmail functionality. This affects organizations and individuals using vulnerable Reolink camera models exposed to network access. Successful exploitation could lead to complete device compromise.

💻 Affected Systems

Products:

Reolink RLC-410W

Versions: v3.0.0.136_20121102 and likely earlier versions

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the TestEmail functionality specifically; devices with this feature enabled are vulnerable.

📦 What is this software?

Rlc 410w Firmware by Reolink

View all CVEs affecting Rlc 410w Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full device takeover, lateral movement to other network devices, persistent backdoor installation, and potential data exfiltration.

🟠

Likely Case

Remote code execution allowing attacker to disable camera functionality, modify video feeds, or use device as pivot point for further attacks.

🟢

If Mitigated

Limited impact if device is isolated in separate VLAN with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH - Directly exploitable via HTTP requests without authentication, making internet-exposed devices immediate targets.

🏢 Internal Only: HIGH - Even internally, any network-accessible device is vulnerable to exploitation from compromised internal hosts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTTP requests to the vulnerable endpoint; detailed technical analysis available in Talos reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Reolink firmware updates for versions after v3.0.0.136_20121102

Vendor Advisory: https://support.reolink.com/hc/en-us/articles/360061010111

Restart Required: Yes

Instructions:

1. Log into Reolink camera web interface. 2. Navigate to Settings > System > Maintenance. 3. Check for firmware updates. 4. Download and install latest firmware. 5. Reboot camera after update.

🔧 Temporary Workarounds

Disable TestEmail functionality

all

Remove or disable the TestEmail feature if not required

Network segmentation

all

Isolate cameras in separate VLAN with strict firewall rules

🧯 If You Can't Patch

Segment cameras into isolated network with no internet access
Implement strict firewall rules blocking all inbound HTTP traffic to camera management interfaces

🔍 How to Verify

Check if Vulnerable:

Check firmware version in camera web interface: Settings > System > Device Information

Check Version:

curl -s http://[CAMERA_IP]/cgi-bin/api.cgi?cmd=GetDevInfo | grep Firmware

Verify Fix Applied:

Verify firmware version is updated beyond v3.0.0.136_20121102 and test TestEmail functionality

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to /cgi-bin/api.cgi with TestEmail parameters
Multiple failed TestEmail attempts

Network Indicators:

HTTP requests to camera IP with crafted TestEmail payloads
Unusual outbound connections from camera after exploitation

SIEM Query:

source="camera_logs" AND (uri_path="/cgi-bin/api.cgi" AND query="TestEmail")

📊 Metadata

CVE ID: CVE-2022-21217

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-457

Published: January 28, 2022

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1445 Broken Link,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1445 Broken Link,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21217, you might also want to check these: