Headline
CVE-2021-44419: TALOS-2021-1421 || Cisco Talos Intelligence Group
A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. GetMdAlarm param is not object. An attacker can send an HTTP request to trigger this vulnerability.
CVE-2021-44354,CVE-2021-44355, CVE-2021-44356, CVE-2021-44357, CVE-2021-44358, CVE-2021-44359, CVE-2021-44360, CVE-2021-44361, CVE-2021-44362, CVE-2021-44363, CVE-2021-44364, CVE-2021-44365, CVE-2021-44366, CVE-2021-44367, CVE-2021-44368, CVE-2021-44369, CVE-2021-44370, CVE-2021-44371, CVE-2021-44372, CVE-2021-44373, CVE-2021-44374, CVE-2021-44375, CVE-2021-44376, CVE-2021-44377, CVE-2021-44378, CVE-2021-44379, CVE-2021-44380, CVE-2021-44381, CVE-2021-44382, CVE-2021-44383, CVE-2021-44384, CVE-2021-44385, CVE-2021-44386, CVE-2021-44387, CVE-2021-44388, CVE-2021-44389, CVE-2021-44390, CVE-2021-44391, CVE-2021-44392, CVE-2021-44393, CVE-2021-44394, CVE-2021-44395, CVE-2021-44396, CVE-2021-44397, CVE-2021-44398, CVE-2021-44399, CVE-2021-44400,CVE-2021-44401, CVE-2021-44402,CVE-2021-44403,CVE-2021-44404,CVE-2021-44405, CVE-2021-44406, CVE-2021-44407, CVE-2021-44408, CVE-2021-44409, CVE-2021-44410, CVE-2021-44411, CVE-2021-44412, CVE-2021-44413, CVE-2021-44414, CVE-2021-44415, CVE-2021-44416, CVE-2021-44417, CVE-2021-44418, CVE-2021-44419
Summary
Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.
Tested Versions
reolink RLC-410W v3.0.0.136_20121102
Product URLs
RLC-410W - https://reolink.com/us/product/rlc-410w/
CVSSv3 Score
8.6 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE
CWE-20 - Improper Input Validation
Details
The reolink RLC-410W is a WiFi security camera. The camera includes motion detection functionalities and various methods to save the recordings.
The RLC-410W offers different APIs for different levels of authentication. One of these APIs has the purpose of rebooting the device; this API should be executed by administrator users only.
A specially-crafted HTTP request can lead to kill the cgiserver.cgi process and a consequentially to the reboot of the device, without the required permission.
The cgiserver.cgi manages the API requests, parsing the commands and parameters provided. One way to issue commands and parameters is by providing those in a JSON array in the body. A body with commands looks like the following:
[
{
"cmd": <COMMAND NAME 1>,
"action": <ACTION NUMBER 1>,
"param":{
<COMMAND PARAMETERS 1>
}
},
...
{
"cmd": <COMMAND NAME n>,
"action": <ACTION NUMBER n>,
"param":{
<COMMAND PARAMETERS n>
}
},
]
All the JSON elements inside a JSON object are going to be accessed using the subscription operator:
int __thiscall Json::Value::operator[](Value *this,char *key)
{
[...]
puVar4 = &_mips_gp0_value;
if (this->type == null) {
Value(aVStack64,7);
operator=(this,aVStack64);
~Value(aVStack64);
}
else {
if (this->type != object) {
/* WARNING: Subroutine does not return */
__assert(s_type__==_nullValue_||_type__==_o_004e3084,
"/home/mdq/new_svn/test/ipc/trunk/opensource/libjson/src/json_value.cpp",0x401); [1]
}
}
[...]
}
If the JSON element is neither of the type null or object, the program will assert. If this happens, the cgiserver.cgi process will not able to send its heartbeat. Eventually the entire device will be rebooted.
Each one of the provided commands is parsed by the body_request_to_command:
undefined body_request_to_command(cgi_request *req,cgi_cmd *cgi_cmd,Value *json_element)
{
[...]
pVVar3 = (Value *)Json::Value::operator[](json_element,"cmd"); [2]
[...]
}
In [2] the json_element represents one of the elements of the array that contains the commands.
Instead, each param object is parsed individually for each API. But the code that passes the param JSON object, as argument for the function, is the same for all the APIs. The API-specific param parser is called in the cgi_param_parse function:
int cgi_param_parse(cgi_cmd *cgi_cmd,cgi_session *session)
{
[...]
Json::Reader::Reader(json_reader);
Json::Value::Value(&body_as_json,0);
pcVar1 = cgi_cmd->associated_request;
if (pcVar1->is_commands_in_body == 0) {
API_command = cgi_cmd->command_ID;
CHECK_PERMISSIONS:
iVar3 = check_channel_if_command_require_it(API_command,cgi_cmd->query_string[channel]);
if (iVar3 == 0) {
AVar4 = cgi_check_ability(cgi_cmd->command_ID,session,cgi_cmd->query_string[channel]); [3]
dVar5 = 0;
if (AVar4 == ~not exist) goto LAB_0043ca18;
}
else {
AVar4 = check err;
}
}
else {
if (pcVar1->CONTENT_LENGTH == 0) {
API_command = cgi_cmd->command_ID;
goto CHECK_PERMISSIONS;
}
std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string
((char *)body_data_as_string,(allocator *)pcVar1->body_data);
is_valid_json = Json::Reader::parse(json_reader,body_data_as_string,&body_as_json,true);
std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string
((basic_string<char,std::char_traits<char>,std::allocator<char>> *)body_data_as_string
);
if (is_valid_json != 0) {
command_struct = (command_struct *)get_command_struct_by_id(cgi_cmd->command_ID);
j2s_function = command_struct->j2s;
pVVar2 = (Value *)Json::Value::operator[](&body_as_json,cgi_cmd->idx_in_array_command);
pVVar2 = (Value *)Json::Value::operator[](pVVar2,"param"); [4]
dVar5 = (*j2s_function)(pVVar2,cgi_cmd); [5]
if (dVar5 != 0) goto LAB_0043ca18;
API_command = cgi_cmd->command_ID;
goto CHECK_PERMISSIONS;
}
[...]
}
At [4] the param element is taken and passed at [5] to the API-specific JSON parser that will parse the parameters. After the parsing, at [3], it is checked that the user who requested the API has the correct permission for performing it.
Both the code at [2] and the code called to parse the param JSON element at [5] assume that the JSON passed are JSON objects, but this is not always the case. For example with:
curl --request POST \
--data "[{\"cmd\": \"<CMD_NAME>\",\"action\": 0,\"param\": \"\"}]" \
http://<CAMERA_IP>/cgi-bin/api.cgi\?cmd\=<CMD_NAME>&token\=<SESSION_TOKEN>
Based on the CMD_NAME, this request could crash the device, because at [5] the param JSON element is taken and passed to the CMD_NAME API-specific parameters parser. In various APIs, that requires param. The parser code will assume, erroneously, that the JSON element of param is an object, accessing it with the subscription operator, leading to the assert at [1].
Note that, while most of this requires a logged-in user, it’s possible to use TALOS-2021-1420 to perform these API calls without authentication.
CVE-2021-44354 - JSON command is not object
The body_request_to_command function will expect JSON objects as elements of the JSON array. If the following request’s body is provided:
[
""
]
The cgiserver.cgi will reach the assert at [1] and consequently the reboot of the camera. Note that, this issue does not require a logged-in user.
CVE-2021-44355 - SetMdAlarm param is not object
The SetMdAlarm’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetMdAlarm",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44356 - SetAudioAlarm param is not object
The SetAudioAlarm’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetAudioAlarm",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44357 - SetAlarm param is not object
The SetAlarm’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetAlarm",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44358 - SetRec param is not object
The SetRec’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetRec",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44359 - SetCrop param is not object
The SetCrop’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetCrop",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44360 - SetNorm param is not object
The SetNorm’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetNorm",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44361 - Set3G param is not object
The Set3G’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "Set3G",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44362 - SetCloudSchedule param is not object
The SetCloudSchedule’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetCloudSchedule",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44363 - SetPush param is not object
The SetPush’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetPush",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44364 - SetWifi param is not object
The SetWifi’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetWifi",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44365 - SetDevName param is not object
The SetDevName’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetDevName",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44366 - SetP2p param is not object
The SetP2p’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetP2p",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44367 - SetUpnp param is not object
The SetUpnp’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetUpnp",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44368 - SetNetPort param is not object
The SetNetPort’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetNetPort",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44369 - SetNtp param is not object
The SetNtp’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetNtp",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44370 - SetFtp param is not object
The SetFtp’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetFtp",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44371 - SetEmail param is not object
The SetEmail’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetEmail",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44372 - SetLocalLink param is not object
The SetLocalLink’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetLocalLink",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44373 - SetAutoFocus param is not object
The SetAutoFocus’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetAutoFocus",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44374 - SetMask param is not object
The SetMask’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetMask",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44375 - SetOsd param is not object
The SetOsd’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetOsd",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44376 - SetIsp param is not object
The SetIsp’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetIsp",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44377 - SetImage param is not object
The SetImage’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetImage",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44378 - SetEnc param is not object
The SetEnc’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetEnc",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44379 - SetAutoMaint param is not object
The SetAutoMaint’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetAutoMaint",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44380 - SetTime param is not object
The SetTime’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetTime",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44381 - SetPowerLed param is not object
The SetPowerLed’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetPowerLed",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44382 - SetIrLights param is not object
The SetIrLights’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetIrLights",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44383 - SetAutoUpgrade param is not object
The SetAutoUpgrade’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetAutoUpgrade",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44384 - SetPtzTattern param is not object
The SetPtzTattern’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetPtzTattern",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44385 - SetPtzSerial param is not object
The SetPtzSerial’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetPtzSerial",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44386 - SetPtzPatrol param is not object
The SetPtzPatrol’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetPtzPatrol",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44387 - SetPtzPreset param is not object
The SetPtzPreset’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "SetPtzPreset",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44388 - Login param is not object
The Login’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "Login",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44389 - GetAbility param is not object
The GetAbility’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "GetAbility",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44390 - Format param is not object
The Format’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "Format",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44391 - GetEnc param is not object
The GetEnc’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "GetEnc",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44392 - GetImage param is not object
The GetImage’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "GetImage",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44393 - GetIsp param is not object
The GetIsp’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "GetIsp",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44394 - GetOsd param is not object
The GetOsd’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "GetOsd",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44395 - GetMask param is not object
The GetMask’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "GetMask",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44396 - Preview param is not object
The Preview’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "Preview",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44397 - rtmp=start param is not object
The rtmp=start’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "rtmp=start",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44398 - rtmp=stop param is not object
The rtmp=stop’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "rtmp=stop",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44399 - GetPtzPreset param is not object
The GetPtzPreset’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "GetPtzPreset",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44400 - GetPtzPatrol param is not object
The GetPtzPatrol’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "GetPtzPatrol",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44401 - PtzCtrl param is not object
The PtzCtrl’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "PtzCtrl",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44402 - GetPtzSerial param is not object
The GetPtzSerial’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "GetPtzSerial",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44403 - GetPtzTattern param is not object
The GetPtzTattern’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "GetPtzTattern",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44404 - GetZoomFocus param is not object
The GetZoomFocus’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "GetZoomFocus",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44405 - StartZoomFocus param is not object
The StartZoomFocus’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "StartZoomFocus",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44406 - GetAutoFocus param is not object
The GetAutoFocus’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "GetAutoFocus",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44407 - TestEmail param is not object
The TestEmail’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "TestEmail",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44408 - TestFtp param is not object
The TestFtp’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "TestFtp",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44409 - TestWifi param is not object
The TestWifi’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "TestWifi",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44410 - UpgradePrepare param is not object
The UpgradePrepare’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "UpgradePrepare",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44411 - Search param is not object
The Search’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "Search",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44412 - GetRec param is not object
The GetRec’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "GetRec",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44413 - AddUser param is not object
The AddUser’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "AddUser",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44414 - DelUser param is not object
The DelUser’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "DelUser",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44415 - ModifyUser param is not object
The ModifyUser’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "ModifyUser",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44416 - Disconnect param is not object
The Disconnect’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "Disconnect",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44417 - GetAlarm param is not object
The GetAlarm’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "GetAlarm",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44418 - GetMdState param is not object
The GetMdState’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "GetMdState",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
CVE-2021-44419 - GetMdAlarm param is not object
The GetMdAlarm’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:
[
{
"cmd": "GetMdAlarm",
"action": 0,
"param": ""
}
]
The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.
Timeline
2021-12-06 - Vendor Disclosure
2022-01-19 - Vendor Patched
2022-01-26 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.