Francesco Benvenuto of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered several vulnerabilities in the Reolink RLC-410W security camera that could allow an attacker to perform several malicious actions, including performing man-in-the-middle attacks, stealing user login credentials and more.
The Reolink RLC-410W is a WiFi-connected security camera. The camera includes motion detection functionalities and multiple ways to save and view the recordings. The vulnerabilities Talos discovered exist in various functions and features of the camera. Some of these exploits could be combined, as well, to reboot the camera without authentication or run certain APIs.
There are five denial-of-service vulnerabilities that could allow an adversary to make the web service unresponsive and restart the device if they send specific network requests to the target:
- TALOS-2021-1421 (CVE-2021-44354 - CVE-2021-44419)
- TALOS-2021-1422 (CVE-2021-40405)
- TALOS-2021-1423 (CVE-2021-40406)
- TALOS-2021-1432 (CVE-2021-40423)
- TALOS-2021-1425 (CVE-2021-40413 - CVE-2021-40416)
TALOS-2022-1450 (CVE-2022-21801) is also a denial-of-service vulnerability, but rather than dealing with the web service, it affects a binary called “netserver.”
TALOS-2021-1420 (CVE-2021-40404) is an authentication bypass vulnerability that could allow, in combination with other vulnerabilities, to execute privileged action without authentication. If combined with TALOS-2021-1421, 1422 or 1425, the attacker could cause a denial-of-service without authentication.
TALOS-2021-1425 is also unique because a low-privileged user could reformat the SD card in the camera. This API allows only admin accounts to execute it. But if this vulnerability is combined with 1420, no authentication is required to delete recordings on the camera.
Two other vulnerabilities, TALOS-2022-1447 (CVE-2022-21134) and TALOS-2021-1428 (CVE-2021-40419) can also be triggered with malicious network requests. However, in those cases, it only causes the camera to update to the latest firmware without the user’s knowledge. If the attacker exploits TALOS-2021-1428, they could even force the upgrade without any MITM involved.
TALOS-2022-1445 (CVE-2022-21217) and TALOS-2022-1451 (CVE-2022-21796) are issues in two different functionalities of the camera’s firmware. An attacker could exploit these vulnerabilities to cause out-of-bounds write conditions.
TALOS-2021-1424 (CVE-2021-40407 - CVE-2021-40412), which has a severity score of 9.1 out of a possible 10, could also be exploited to execute arbitrary code on the targeted device.
Lastly, there are two information disclosure vulnerabilities in the camera: TALOS-2022-1446 (CVE-2022-21236) and TALOS-2022-1448 (CVE-2022-21199). An attacker could exploit either of these to view sensitive information that could be used in man-in-the-middle attacks against the device.
Cisco Talos worked with Reolink to ensure that this issue is resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.
Users are advised to update the Reolink RLC-410W v126.96.36.199_20121102, which is tested and confirmed to be affected by these vulnerabilities.
The following SNORTⓇ rules will detect exploitation attempts against these vulnerabilities: 58691 - 58693, 58698, 58699, 58718, 58817 – 58720 and 58926 – 58928. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall management center or Snort.org.