External risk intelligence

Reolink Camera Command Injection Vulnerability.

CVE advisoryKnown Exploit

CVE-2021-40407

An OS command injection vulnerability exists in the network settings of Reolink RLC-410W devices, allowing attackers to execute commands via HTTP requests. This could lead to unauthorized access and control of the affected device.

3Halo Surface Signal

OS Command Injection

Reolink Rlc 410w Firmware

3.0.0.136_20121102

External exposure likelihood

Halo Surface Signal score for CVE-2021-40407

The vulnerability affects an IP camera, which is a network-connected device. While these devices are often deployed in local environments behind firewalls, they are frequently configured for remote access or cloud integration, making them plausibly reachable from the internet, though public exposure is not a universal requirement for normal functionality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

An OS command injection vulnerability exists in the device network settings of certain Reolink products. This flaw allows an attacker to execute commands on the affected device by sending a specially crafted HTTP request. The potential impact includes unauthorized access and control over the device's functionalities.

  • Vulnerable network settings functionality
  • Improper validation of domain input
  • Unauthorized device control and access

Attack Path

How an attacker could exploit the issue

An OS command injection vulnerability exists in the network settings functionality of the Reolink RLC-410W. Attackers can exploit this by sending an HTTP request that targets the DDNS domain variable. This variable is not properly validated, allowing for the injection of OS commands. This could lead to unauthorized control or impact on the affected device.

  • Exposure condition: Network access to device settings.
  • Attacker starting point: Authenticated access.
  • Trigger and result: HTTP request leads to command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant threat, as it allows for complete device compromise. Attackers with administrative credentials and network access can inject malicious commands, potentially leading to data theft or disruption of services. The CISA has identified this vulnerability as actively exploited, indicating a high level of risk. Organizations utilizing the affected devices should consider this a critical and urgent threat.

  • Likely attacker skill level: High.
  • Required access or conditions: Authenticated network access.
  • Business risk or urgency: Critical, urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An OS command injection vulnerability has been identified that could allow an attacker to execute commands on affected devices. This vulnerability exists in the device network settings functionality. Attackers can exploit this by sending a specially crafted HTTP request. The potential impact includes unauthorized command execution, which could lead to a compromise of the device and data.

  • Identify exposed devices.
  • Isolate affected devices from the network.
  • Replace or upgrade devices.
  • Monitor for related activity.

Frequently asked questions

What is the Reolink RLC-410W?

The Reolink RLC-410W is a type of IP camera used for device network settings. It is manufactured by Reolink.

What is CVE-2021-40407?

CVE-2021-40407 is an OS command injection vulnerability affecting the Reolink RLC-410W. This weakness is classified as CWE-78, which involves the improper neutralization of special elements used in an OS command. An attacker could exploit this by sending an HTTP request to inject commands into the DDNS domain variable, which is not adequately validated.

How can CVE-2021-40407 be triggered?

An attacker needs authenticated network access to the device's settings to trigger this vulnerability. They can send a specially crafted HTTP request to the SetDdns API, targeting the ddns->domain variable. Input provided in this variable is not properly validated, allowing for command injection. The vulnerability is not triggered if the DDNS type does not use the domain parameter.

Who should care about this vulnerability based on Halo Surface Signal?

This vulnerability is considered to have a 'Possible' exposure level. While IP cameras are often internal, they can be configured for remote access or cloud integration, potentially making them reachable from the internet. Therefore, individuals and organizations managing Reolink RLC-410W devices, especially those with remote access enabled, should be aware of this threat.

What are the first steps for running this technology?

If you are using the Reolink RLC-410W, the first step is to identify if the affected firmware version is in use. Since the product may be end-of-life or end-of-service, check for official support or updates. If a mitigation is not available, consider discontinuing the product's use.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified