PT-2022-12073 · Reolink · Reolink Rlc-410W
Francesco Benvenuto
·
Published
2022-01-28
·
Updated
2022-10-25
·
CVE-2021-44376
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
reolink RLC-410W version 3.0.0.136 20121102
Description
A denial of service issue exists in the cgiserver.cgi JSON command parser functionality. This can be triggered by a specially-crafted HTTP request, leading to a reboot. The
SetIsp param is not an object, which can be exploited by an attacker sending a specific HTTP request.Recommendations
For reolink RLC-410W version 3.0.0.136 20121102, as a temporary workaround, consider restricting access to the cgiserver.cgi JSON command parser functionality until a patch is available. Avoid using the
SetIsp param in the affected API endpoint until the issue is resolved.Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Reolink Rlc-410W