PT-2022-11236 · Reolink · Reolink Rlc-410W

Francesco Benvenuto

Published

2022-01-28

Updated

2022-06-15

CVE-2021-40413

CVSS v3.1

7.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Name of the Vulnerable Software and Affected Versions reolink RLC-410W version 3.0.0.136 20121102

Description An issue exists in the cgiserver.cgi cgi check ability functionality. The UpgradePrepare API checks if a provided filename identifies a new version of the RLC-410W firmware. If the version is new, it would be possible to later perform the Upgrade. An attacker can send an HTTP request to trigger this issue.

Recommendations For reolink RLC-410W version 3.0.0.136 20121102, consider restricting access to the UpgradePrepare API to minimize the risk of exploitation. As a temporary workaround, avoid using the UpgradePrepare API until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

Exploit

Fix

Improper Access Control

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-276

Related Identifiers

CVE-2021-40413

Affected Products

Reolink Rlc-410W

PT-2022-11236 · Reolink · Reolink Rlc-410W

CVE-2021-40413

Weakness Enumeration

Related Identifiers

Affected Products

References · 3