CVE-2022-21199
An information disclosure vulnerability exists due to the hardcoded TLS key of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.
Reolink RLC-410W v3.0.0.136_20121102
RLC-410W - https://reolink.com/us/product/rlc-410w/
7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-321 - Use of Hard-coded Cryptographic Key
The Reolink RLC-410W is a WiFi security camera. The camera includes motion detection functionalities and various methods to save the recordings.
The RLC-410W ships with an hardcoded TLS key. Following the relevant part of the nginx configuration used by the camera:
[...]
http
{
[...]
server
{
[...]
ssl on;
ssl_protocols TLSv1.2; [1]
ssl_certificate /mnt/app/www/self.crt;
ssl_certificate_key /mnt/app/www/self.key; [2]
[...]
}
}
At [2] the location of TLS private key is specified. This key is hardcoded in the firmware. At [1] is possible to see that TLSv1.2 is used.
An attacker can impersonate any camera using the hardcoded TLS private key. Since TLS v1.2 is used in some specific context, an attacker could use the TLS private key to decrypt the HTTPS conversation established with the camera, allowing him to successfully perform a MITM attacks. This enables the attacker to stole the authentication tokens of a logged users, potentially, allowing the attacker to act with admin privileges.
2022-01-14 - Vendor Disclosure
2022-01-19 - Vendor Patched
2022-01-26 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.