on 20-09-2021 12:44
I've read about the zero day vulnerability in the news recently, which uncovers the true IP of the user even if they use a VPN. (https://portswigger.net/daily-swig/vpn-users-unmasked-by-zero-day-vulnerability-in-virgin-media-rout...)
Has this been patched on the Hub 3 already or if not, when will this happen?
If the Hub 4 is not vulnerable to this exploit, are we able to get one to replace the Hub 3?
Answered! Go to Answer
on 20-09-2021 17:02
@alanjairey wrote:I've read about the zero day vulnerability in the news recently, which uncovers the true IP of the user even if they use a VPN. (https://portswigger.net/daily-swig/vpn-users-unmasked-by-zero-day-vulnerability-in-virgin-media-rout...)
Has this been patched on the Hub 3 already or if not, when will this happen?
If the Hub 4 is not vulnerable to this exploit, are we able to get one to replace the Hub 3?
Well VM are famously tight-lipped about what exactly is in any firmware updates, as they haven't expressly said that this vulnerability has been fixed then assume it hasn't.
When will it happen? Who knows? To be honest considering all the other flaws in the firmware especially in the Hub 4 - probably never! I would imagine that VM would take a look at what percentage of customers probably use a VPN and conclude that it's not worth expending resources on fixing
As for the Hub 4, I would expect they share a lot of code, so probably best to assume that this is just as vulnerable, and judging by a number of posts across this forum, possibly more flaky.
The vulnerability is a DNS rebind attack so it should be mitigated if you use your own router with the Hub in modem mode.
on 20-09-2021 14:41
The problem is only when you use a VPN.
on 20-09-2021 15:02
on 20-09-2021 17:02
@alanjairey wrote:I've read about the zero day vulnerability in the news recently, which uncovers the true IP of the user even if they use a VPN. (https://portswigger.net/daily-swig/vpn-users-unmasked-by-zero-day-vulnerability-in-virgin-media-rout...)
Has this been patched on the Hub 3 already or if not, when will this happen?
If the Hub 4 is not vulnerable to this exploit, are we able to get one to replace the Hub 3?
Well VM are famously tight-lipped about what exactly is in any firmware updates, as they haven't expressly said that this vulnerability has been fixed then assume it hasn't.
When will it happen? Who knows? To be honest considering all the other flaws in the firmware especially in the Hub 4 - probably never! I would imagine that VM would take a look at what percentage of customers probably use a VPN and conclude that it's not worth expending resources on fixing
As for the Hub 4, I would expect they share a lot of code, so probably best to assume that this is just as vulnerable, and judging by a number of posts across this forum, possibly more flaky.
The vulnerability is a DNS rebind attack so it should be mitigated if you use your own router with the Hub in modem mode.