Reolink RLC-410W "update" firmware checks firmware update vulnerability

Summary

A firmware update vulnerability exists in the “update” firmware checks functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to firmware update. An attacker can send a sequence of requests to trigger this vulnerability.

Tested Versions

Reolink RLC-410W v3.0.0.136_20121102

Product URLs

RLC-410W - <https://reolink.com/us/product/rlc-410w/&gt;

CVSSv3 Score

8.3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - chain: TALOS-2021-1428

CWE

CWE-347 - Improper Verification of Cryptographic Signature

Details

The Reolink RLC-410W is a WiFi security camera. The camera includes motion detection functionalities and various methods to save the recordings.

The RLC-410W offers, through the Upgrade API, the upgrade of its firmware. The upgrade process does not include any cryptographic signature that would guarantee that the content of the upgrade is legitimate. This would allows an attacker, that is able to perform the Upgrade API, to insert backdoor and modify the firmware of the camera. The same consequences are true for an attacker able to perform a man-in-the-middle attack where the attacker would wait for a legitimate user to initiate a firmware update and modify the firmware in transit. The update binary, the one responsible to perform the actual firmware update, does only calculate and check a CRC32.

Note that, while this issue requires a MITM or admin privileges, it’s possible to use TALOS-2021-1428 to perform the update without authentication and the necessity of MITM. In this case, the actual chained CVSS score would be 10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Timeline

2022-01-14 - Initial Contact
2022-01-19 - Vendor Patched
2022-01-26 - Public Disclosure