Talos Vulnerability Report

TALOS-2022-1448

Reolink RLC-410W hardcoded TLS key information disclosure vulnerability

January 26, 2022
CVE Number

CVE-2022-21199

Summary

An information disclosure vulnerability exists due to the hardcoded TLS key of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.

Tested Versions

Reolink RLC-410W v3.0.0.136_20121102

Product URLs

RLC-410W - https://reolink.com/us/product/rlc-410w/

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-321 - Use of Hard-coded Cryptographic Key

Details

The Reolink RLC-410W is a WiFi security camera. The camera includes motion detection functionalities and various methods to save the recordings.

The RLC-410W ships with an hardcoded TLS key. Following the relevant part of the nginx configuration used by the camera:

[...]
http 
{
   [...]
    server
    {
        [...]
        ssl on;
        ssl_protocols     TLSv1.2;                                                                      [1]
        ssl_certificate /mnt/app/www/self.crt;
        ssl_certificate_key /mnt/app/www/self.key;                                                      [2]
       [...]
    }
}

At [2] the location of TLS private key is specified. This key is hardcoded in the firmware. At [1] is possible to see that TLSv1.2 is used.

An attacker can impersonate any camera using the hardcoded TLS private key. Since TLS v1.2 is used in some specific context, an attacker could use the TLS private key to decrypt the HTTPS conversation established with the camera, allowing him to successfully perform a MITM attacks. This enables the attacker to stole the authentication tokens of a logged users, potentially, allowing the attacker to act with admin privileges.

Timeline

2022-01-14 - Vendor Disclosure
2022-01-19 - Vendor Patched

2022-01-26 - Public Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.