ALTICE LABS SFR France GR140DG and GR140IG Command Injection Vulnerability in Traceroute Handler

A command injection vulnerability has been identified in the traceroute diagnostic handler of the ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway. This vulnerability allows authenticated remote attackers to execute arbitrary commands as root by exploiting unsanitized user input in the destAddr parameter, using shell command substitution. The issue arises because the WebUI process runs with root privileges, enabling full control over the device.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands with root privileges on the affected router. Given that the GR140DG is widely distributed as the default fibre CPE for SFR customers in France, this vulnerability has significant implications. The injection flaw also opens avenues for lateral movement from compromised WebUI credentials or malware residing on the local network.

Remediation

Users are advised to update to firmware version 3GN8020803R0B or later, which addresses this vulnerability. For devices that have not yet received the update, it is recommended to restrict WebUI access to the local area network, rotate WebUI credentials, and disable remote management. Additionally, network segmentation can be implemented between the router management interface and untrusted LAN devices, along with monitoring for unusual outbound traffic from the CPE.