CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
53.5%
An information disclosure vulnerability exists due to the hardcoded TLS key of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.
Reolink RLC-410W v3.0.0.136_20121102
RLC-410W - <https://reolink.com/us/product/rlc-410w/>
7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-321 - Use of Hard-coded Cryptographic Key
The Reolink RLC-410W is a WiFi security camera. The camera includes motion detection functionalities and various methods to save the recordings.
The RLC-410W ships with an hardcoded TLS key. Following the relevant part of the nginx configuration used by the camera:
[...]
http
{
[...]
server
{
[...]
ssl on;
ssl_protocols TLSv1.2; [1]
ssl_certificate /mnt/app/www/self.crt;
ssl_certificate_key /mnt/app/www/self.key; [2]
[...]
}
}
At [2]
the location of TLS private key is specified. This key is hardcoded in the firmware. At [1]
is possible to see that TLSv1.2 is used.
An attacker can impersonate any camera using the hardcoded TLS private key. Since TLS v1.2 is used in some specific context, an attacker could use the TLS private key to decrypt the HTTPS conversation established with the camera, allowing him to successfully perform a MITM attacks. This enables the attacker to stole the authentication tokens of a logged users, potentially, allowing the attacker to act with admin privileges.
2022-01-14 - Vendor Disclosure
2022-01-19 - Vendor Patched
2022-01-26 - Public Release
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
53.5%