A firmware update vulnerability exists in the "update" firmware checks functionality of reolink RLC-410W v126.96.36.199_20121102. A specially-crafted HTTP request can lead to firmware update. An attacker can send a sequence of requests to trigger this vulnerability.
Reolink RLC-410W v188.8.131.52_20121102
RLC-410W - https://reolink.com/us/product/rlc-410w/
8.3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - chain: TALOS-2021-1428
CWE-347 - Improper Verification of Cryptographic Signature
The Reolink RLC-410W is a WiFi security camera. The camera includes motion detection functionalities and various methods to save the recordings.
The RLC-410W offers, through the
Upgrade API, the upgrade of its firmware. The upgrade process does not include any cryptographic signature that would guarantee that the content of the upgrade is legitimate. This would allows an attacker, that is able to perform the
Upgrade API, to insert backdoor and modify the firmware of the camera. The same consequences are true for an attacker able to perform a man-in-the-middle attack where the attacker would wait for a legitimate user to initiate a firmware update and modify the firmware in transit.
update binary, the one responsible to perform the actual firmware update, does only calculate and check a CRC32.
Note that, while this issue requires a MITM or admin privileges, it’s possible to use TALOS-2021-1428 to perform the update without authentication and the necessity of MITM. In this case, the actual chained CVSS score would be 10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
2022-01-14 - Initial Contact
2022-01-19 - Vendor Patched
2022-01-26 - Public Disclosure
Discovered by Francesco Benvenuto of Cisco Talos.