ALTICE LABS GR140DG and GR140IG Command Injection Vulnerability in Ping Diagnostic Handler

A command injection vulnerability has been identified in the ping diagnostic handler of the ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway. This vulnerability allows authenticated remote attackers to execute arbitrary commands as root by exploiting the destAddr parameter with crafted input that takes advantage of shell command substitution. The issue arises because user input is inserted into a system() call without proper sanitization, enabling command execution on the device.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands with root privileges on the affected router. Given that the GR140DG is widely distributed to SFR Fibre customers in France, this vulnerability has significant impact.

Reproduction

The vulnerability can be reproduced by sending a request to the '/ping.cmd' endpoint with a crafted 'destAddr' parameter that includes shell metacharacters for command substitution. The ping handler will execute the command on the router as root, due to the WebUI process running with elevated privileges.

Remediation

Users are advised to update to firmware version 3GN8020803R0B or later, which includes the fix for this vulnerability. For devices that have not yet received the update, it is recommended to restrict WebUI access to the LAN, rotate WebUI credentials, and disable remote management. Additionally, network segmentation between the router management interface and untrusted LAN devices, along with monitoring for unusual outbound traffic from the CPE, can help reduce exposure.