CVE-2021-40407
Published: 28 January 2022
Summary
CVE-2021-40407 is a high-severity OS Command Injection (CWE-78) vulnerability in Reolink Rlc-410W Firmware. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
An OS command injection vulnerability exists in the device network settings functionality of the Reolink RLC-410W camera running firmware version 3.0.0.136_20121102. The flaw occurs when handling the ddns->domain variable supplied to the SetDdns API, where the value is not properly validated based on the selected DDNS type, allowing arbitrary operating system commands to be executed.
An authenticated attacker with administrative privileges can send a crafted HTTP request containing a malicious domain parameter to trigger the vulnerability. Successful exploitation grants the ability to execute arbitrary commands on the device, resulting in full control over confidentiality, integrity, and availability of the affected camera.
The issue is documented in detail in the Talos Intelligence advisory TALOS-2021-1424 and appears in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed real-world exploitation. No specific patch or mitigation details are provided in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-27584
Vulnerability details
An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API,…
more
is not validated properly. This would lead to an OS command injection. An attacker can send an HTTP request to trigger this vulnerability.
- CWE(s)
- KEV Date Added
- 18 December 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the untrusted ddns->domain parameter supplied to SetDdns before it is used in OS command construction.
Limits the privileges of the web-server or DDNS-handling process so that successful command injection cannot immediately yield full device control.
Enables monitoring of process execution, API calls, and anomalous command patterns that would reveal attempted or successful exploitation of the domain parameter.