Reolink’s cameras and NVRs (Network Video Recorders), typically used by homeowners and small businesses, critical infrastructure and industrial operators, have been identified to have vulnerabilities in its Peer-to-Peer (P2P) feature, which raised potential security risks and implications to organizations.
Two vulnerabilities were identified and tracked as CVE-2020-25169 and CVE-2020-25173. CVE-2020-25169, a cleartext of sensitive information reconstruction vulnerability, wherein affected Reolink P2P products do not sufficiently protect data transferred between the local device and Reolink servers. Successful exploitation allows an attacker to access sensitive information, such as camera feeds. Another is CVE-2020-25173, wherein the affected product uses a hard-coded cryptographic key in its protocol exchange between P2P servers. An attacker with local network access can obtain a fixed cryptography key which could lead to further compromise of Reolink P2P cameras outside of local network access.
A. List of Vulnerable Systems/Devices
Affected Reolink devices that has a Peer-to-Peer feature:
Security IP Camera:
- RLC-4XX series
- RLC-5XX series
Network Video Recorders:
- RLN-X10 series
B. Actions to be Taken
CERT-PH recommends the following actions be taken:
- Minimize network exposure for all control system devices and/or systems by isolating them from internal business networks and ensuring that they are not publicly accessible from the Internet.
- Secure and protect control system devices and/or networks using security appliances, such as firewalls and anti-virus solutions.
- When remote access is required, use Virtual Private Networks (VPNs). Also ensure that the devices to be used for remote access into the organizations’ IT network have the latest software updates and security configurations.
- Immediately test and apply the corresponding patched firmware versions of the affected products. (https://reolink.com/download-center/)