PT-2022-12069 · Reolink · Reolink Rlc-410W
Francesco Benvenuto
·
Published
2022-01-28
·
Updated
2022-10-25
·
CVE-2021-44372
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
reolink RLC-410W version 3.0.0.136 20121102
Description
A denial of service issue exists in the cgiserver.cgi JSON command parser functionality. This can be triggered by a specially-crafted HTTP request, leading to a reboot. The
SetLocalLink param is not an object, allowing an attacker to send an HTTP request to exploit this issue.Recommendations
For version 3.0.0.136 20121102, consider restricting access to the cgiserver.cgi JSON command parser functionality until a fix is available. As a temporary workaround, avoid using the
SetLocalLink param in HTTP requests to minimize the risk of exploitation.Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Reolink Rlc-410W