CVE-2021-40411

Name of the Vulnerable Software and Affected Versions Reolink RLC-410W version 3.0.0.136 20121102

Description The issue exists due to the lack of proper validation of special elements used in an operating system command. This can be exploited by a remote attacker to execute arbitrary commands using a specially crafted HTTP request. The vulnerability is related to the dns2 parameter provided through the "SetLocalLink" API, which is not properly validated, leading to an OS command injection. The dns data->dns2 variable is specifically mentioned as the point of vulnerability.

Recommendations For Reolink RLC-410W version 3.0.0.136 20121102, consider disabling the SetLocalLink API until a patch is available to prevent potential OS command injection attacks. Restrict access to the network settings functionality to minimize the risk of exploitation. Avoid using the dns2 parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.