Talos Vulnerability Report

TALOS-2021-1421

Reolink RLC-410W cgiserver.cgi JSON command parser denial of service vulnerabilities

January 26, 2022
CVE Number

CVE-2021-44354,CVE-2021-44355, CVE-2021-44356, CVE-2021-44357, CVE-2021-44358, CVE-2021-44359, CVE-2021-44360, CVE-2021-44361, CVE-2021-44362, CVE-2021-44363, CVE-2021-44364, CVE-2021-44365, CVE-2021-44366, CVE-2021-44367, CVE-2021-44368, CVE-2021-44369, CVE-2021-44370, CVE-2021-44371, CVE-2021-44372, CVE-2021-44373, CVE-2021-44374, CVE-2021-44375, CVE-2021-44376, CVE-2021-44377, CVE-2021-44378, CVE-2021-44379, CVE-2021-44380, CVE-2021-44381, CVE-2021-44382, CVE-2021-44383, CVE-2021-44384, CVE-2021-44385, CVE-2021-44386, CVE-2021-44387, CVE-2021-44388, CVE-2021-44389, CVE-2021-44390, CVE-2021-44391, CVE-2021-44392, CVE-2021-44393, CVE-2021-44394, CVE-2021-44395, CVE-2021-44396, CVE-2021-44397, CVE-2021-44398, CVE-2021-44399, CVE-2021-44400,CVE-2021-44401, CVE-2021-44402,CVE-2021-44403,CVE-2021-44404,CVE-2021-44405, CVE-2021-44406, CVE-2021-44407, CVE-2021-44408, CVE-2021-44409, CVE-2021-44410, CVE-2021-44411, CVE-2021-44412, CVE-2021-44413, CVE-2021-44414, CVE-2021-44415, CVE-2021-44416, CVE-2021-44417, CVE-2021-44418, CVE-2021-44419

Summary

Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.

Tested Versions

reolink RLC-410W v3.0.0.136_20121102

Product URLs

RLC-410W - https://reolink.com/us/product/rlc-410w/

CVSSv3 Score

8.6 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE

CWE-20 - Improper Input Validation

Details

The reolink RLC-410W is a WiFi security camera. The camera includes motion detection functionalities and various methods to save the recordings.

The RLC-410W offers different APIs for different levels of authentication. One of these APIs has the purpose of rebooting the device; this API should be executed by administrator users only.

A specially-crafted HTTP request can lead to kill the cgiserver.cgi process and a consequentially to the reboot of the device, without the required permission.

The cgiserver.cgi manages the API requests, parsing the commands and parameters provided. One way to issue commands and parameters is by providing those in a JSON array in the body. A body with commands looks like the following:

[
    {
        "cmd":    <COMMAND NAME 1>,
        "action": <ACTION NUMBER 1>,
        "param":{
                  <COMMAND PARAMETERS 1>
        }
    },
    ...
    {
        "cmd":    <COMMAND NAME n>,
        "action": <ACTION NUMBER n>,
        "param":{
                  <COMMAND PARAMETERS n>
        }
    },
]

All the JSON elements inside a JSON object are going to be accessed using the subscription operator:

int __thiscall Json::Value::operator[](Value *this,char *key)

{
  [...]

  puVar4 = &_mips_gp0_value;
  if (this->type == null) {
    Value(aVStack64,7);
    operator=(this,aVStack64);
    ~Value(aVStack64);
  }
  else {
    if (this->type != object) {
                    /* WARNING: Subroutine does not return */
      __assert(s_type__==_nullValue_||_type__==_o_004e3084,
               "/home/mdq/new_svn/test/ipc/trunk/opensource/libjson/src/json_value.cpp",0x401);         [1]
    }
  }
 [...]
}  

If the JSON element is neither of the type null or object, the program will assert. If this happens, the cgiserver.cgi process will not able to send its heartbeat. Eventually the entire device will be rebooted.

Each one of the provided commands is parsed by the body_request_to_command:

  undefined body_request_to_command(cgi_request *req,cgi_cmd *cgi_cmd,Value *json_element)

  {
    [...]
    pVVar3 = (Value *)Json::Value::operator[](json_element,"cmd");                                      [2]
    [...]
  }

In [2] the json_element represents one of the elements of the array that contains the commands.

Instead, each param object is parsed individually for each API. But the code that passes the param JSON object, as argument for the function, is the same for all the APIs. The API-specific param parser is called in the cgi_param_parse function:

int cgi_param_parse(cgi_cmd *cgi_cmd,cgi_session *session)

      {
        [...]

        Json::Reader::Reader(json_reader);
        Json::Value::Value(&body_as_json,0);
        pcVar1 = cgi_cmd->associated_request;
        if (pcVar1->is_commands_in_body == 0) {
          API_command = cgi_cmd->command_ID;
      CHECK_PERMISSIONS:
          iVar3 = check_channel_if_command_require_it(API_command,cgi_cmd->query_string[channel]);
          if (iVar3 == 0) {
            AVar4 = cgi_check_ability(cgi_cmd->command_ID,session,cgi_cmd->query_string[channel]);      [3]
            dVar5 = 0;
            if (AVar4 == ~not exist) goto LAB_0043ca18;
          }
          else {
            AVar4 = check err;
          }
        }
        else {
          if (pcVar1->CONTENT_LENGTH == 0) {
            API_command = cgi_cmd->command_ID;
            goto CHECK_PERMISSIONS;
          }
          std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string
                    ((char *)body_data_as_string,(allocator *)pcVar1->body_data);
          is_valid_json = Json::Reader::parse(json_reader,body_data_as_string,&body_as_json,true);
          std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string
                    ((basic_string<char,std::char_traits<char>,std::allocator<char>> *)body_data_as_string
                    );
          if (is_valid_json != 0) {
            command_struct = (command_struct *)get_command_struct_by_id(cgi_cmd->command_ID);
            j2s_function = command_struct->j2s;
            pVVar2 = (Value *)Json::Value::operator[](&body_as_json,cgi_cmd->idx_in_array_command);
            pVVar2 = (Value *)Json::Value::operator[](pVVar2,"param");                                  [4]
            dVar5 = (*j2s_function)(pVVar2,cgi_cmd);                                                    [5]
            if (dVar5 != 0) goto LAB_0043ca18;
            API_command = cgi_cmd->command_ID;
            goto CHECK_PERMISSIONS;
          }
        [...]
      }

At [4] the param element is taken and passed at [5] to the API-specific JSON parser that will parse the parameters. After the parsing, at [3], it is checked that the user who requested the API has the correct permission for performing it.

Both the code at [2] and the code called to parse the param JSON element at [5] assume that the JSON passed are JSON objects, but this is not always the case. For example with:

curl --request POST \
     --data "[{\"cmd\": \"<CMD_NAME>\",\"action\": 0,\"param\":  \"\"}]" \
     http://<CAMERA_IP>/cgi-bin/api.cgi\?cmd\=<CMD_NAME>&token\=<SESSION_TOKEN>

Based on the CMD_NAME, this request could crash the device, because at [5] the param JSON element is taken and passed to the CMD_NAME API-specific parameters parser. In various APIs, that requires param. The parser code will assume, erroneously, that the JSON element of param is an object, accessing it with the subscription operator, leading to the assert at [1].

Note that, while most of this requires a logged-in user, it’s possible to use TALOS-2021-1420 to perform these API calls without authentication.

CVE-2021-44354 - JSON command is not object

The body_request_to_command function will expect JSON objects as elements of the JSON array. If the following request’s body is provided:

[
   ""
]

The cgiserver.cgi will reach the assert at [1] and consequently the reboot of the camera. Note that, this issue does not require a logged-in user.

CVE-2021-44355 - SetMdAlarm param is not object

The SetMdAlarm’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetMdAlarm",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44356 - SetAudioAlarm param is not object

The SetAudioAlarm’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetAudioAlarm",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44357 - SetAlarm param is not object

The SetAlarm’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetAlarm",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44358 - SetRec param is not object

The SetRec’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetRec",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44359 - SetCrop param is not object

The SetCrop’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetCrop",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44360 - SetNorm param is not object

The SetNorm’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetNorm",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44361 - Set3G param is not object

The Set3G’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "Set3G",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44362 - SetCloudSchedule param is not object

The SetCloudSchedule’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetCloudSchedule",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44363 - SetPush param is not object

The SetPush’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetPush",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44364 - SetWifi param is not object

The SetWifi’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetWifi",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44365 - SetDevName param is not object

The SetDevName’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetDevName",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44366 - SetP2p param is not object

The SetP2p’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetP2p",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44367 - SetUpnp param is not object

The SetUpnp’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetUpnp",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44368 - SetNetPort param is not object

The SetNetPort’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetNetPort",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44369 - SetNtp param is not object

The SetNtp’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetNtp",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44370 - SetFtp param is not object

The SetFtp’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetFtp",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44371 - SetEmail param is not object

The SetEmail’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetEmail",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

The SetLocalLink’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetLocalLink",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44373 - SetAutoFocus param is not object

The SetAutoFocus’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetAutoFocus",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44374 - SetMask param is not object

The SetMask’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetMask",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44375 - SetOsd param is not object

The SetOsd’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetOsd",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44376 - SetIsp param is not object

The SetIsp’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetIsp",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44377 - SetImage param is not object

The SetImage’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetImage",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44378 - SetEnc param is not object

The SetEnc’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetEnc",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44379 - SetAutoMaint param is not object

The SetAutoMaint’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetAutoMaint",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44380 - SetTime param is not object

The SetTime’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetTime",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44381 - SetPowerLed param is not object

The SetPowerLed’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetPowerLed",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44382 - SetIrLights param is not object

The SetIrLights’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetIrLights",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44383 - SetAutoUpgrade param is not object

The SetAutoUpgrade’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetAutoUpgrade",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44384 - SetPtzTattern param is not object

The SetPtzTattern’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetPtzTattern",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44385 - SetPtzSerial param is not object

The SetPtzSerial’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetPtzSerial",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44386 - SetPtzPatrol param is not object

The SetPtzPatrol’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetPtzPatrol",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44387 - SetPtzPreset param is not object

The SetPtzPreset’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetPtzPreset",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44388 - Login param is not object

The Login’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "Login",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44389 - GetAbility param is not object

The GetAbility’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "GetAbility",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44390 - Format param is not object

The Format’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "Format",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44391 - GetEnc param is not object

The GetEnc’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "GetEnc",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44392 - GetImage param is not object

The GetImage’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "GetImage",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44393 - GetIsp param is not object

The GetIsp’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "GetIsp",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44394 - GetOsd param is not object

The GetOsd’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "GetOsd",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44395 - GetMask param is not object

The GetMask’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "GetMask",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44396 - Preview param is not object

The Preview’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "Preview",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44397 - rtmp=start param is not object

The rtmp=start’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "rtmp=start",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44398 - rtmp=stop param is not object

The rtmp=stop’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "rtmp=stop",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44399 - GetPtzPreset param is not object

The GetPtzPreset’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "GetPtzPreset",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44400 - GetPtzPatrol param is not object

The GetPtzPatrol’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "GetPtzPatrol",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44401 - PtzCtrl param is not object

The PtzCtrl’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "PtzCtrl",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44402 - GetPtzSerial param is not object

The GetPtzSerial’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "GetPtzSerial",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44403 - GetPtzTattern param is not object

The GetPtzTattern’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "GetPtzTattern",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44404 - GetZoomFocus param is not object

The GetZoomFocus’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "GetZoomFocus",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44405 - StartZoomFocus param is not object

The StartZoomFocus’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "StartZoomFocus",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44406 - GetAutoFocus param is not object

The GetAutoFocus’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "GetAutoFocus",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44407 - TestEmail param is not object

The TestEmail’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "TestEmail",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44408 - TestFtp param is not object

The TestFtp’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "TestFtp",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44409 - TestWifi param is not object

The TestWifi’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "TestWifi",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44410 - UpgradePrepare param is not object

The UpgradePrepare’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "UpgradePrepare",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44411 - Search param is not object

The Search’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "Search",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44412 - GetRec param is not object

The GetRec’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "GetRec",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44413 - AddUser param is not object

The AddUser’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "AddUser",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44414 - DelUser param is not object

The DelUser’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "DelUser",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44415 - ModifyUser param is not object

The ModifyUser’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "ModifyUser",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44416 - Disconnect param is not object

The Disconnect’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "Disconnect",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44417 - GetAlarm param is not object

The GetAlarm’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "GetAlarm",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44418 - GetMdState param is not object

The GetMdState’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "GetMdState",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

CVE-2021-44419 - GetMdAlarm param is not object

The GetMdAlarm’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "GetMdAlarm",
        "action": 0,
        "param":  ""
    }
]

The cgiserver.cgi will reach the assert at [1] and consequently reboot the camera.

Timeline

2021-12-06 - Vendor Disclosure
2022-01-19 - Vendor Patched

2022-01-26 - Public Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.