by markysparks68 Investigator
Investigator

Brightbox 2 firmware upgrade

From what I understand the Brightbox 2 firmware upgrade is pushed onto the router by EE. How then do we know then when a firmware upgrade is applied by EE? Apparently my DNS masq version is 2.65, and all versions prior to 2.78 are stated as vulnerable, which surely then means that EE have still not provided a firmware upgrade for their Brightbox 2 routers? 

19 REPLIES 19
by Grand Master
Grand Master

Re: Brightbox 2 firmware upgrade

Hi, @markysparks68

 

The same as most providers, updates are pushed out automatically, you will not receive any notification. 

 

Thanks, 




To contact EE Customer Services dial 150 From your EE mobile or 07953 966 250 from any other phone.

EE standard opening hours are 8am to 9pm weekday, 8am to 8pm on weekends.
by markysparks68 Investigator
Investigator

Re: Brightbox 2 firmware upgrade

@Northerner yes I gathered as much, and yet our routers appear to remain vulnerable until the CVE-2017-14991 patch is applied for Brightbox 2 routers. 

by Grand Master
Grand Master

Re: Brightbox 2 firmware upgrade

@markysparks68

 

Vulnerable to what specifically? 




To contact EE Customer Services dial 150 From your EE mobile or 07953 966 250 from any other phone.

EE standard opening hours are 8am to 9pm weekday, 8am to 8pm on weekends.
by
EE Employee

Re: Brightbox 2 firmware upgrade

Hi and welcome to the community @markysparks68

 

So I can try and assist, please can you provide information of which vulnerability that you are referring to.

 

Many thanks,

 

Lee

by markysparks68 Investigator
Investigator

Re: Brightbox 2 firmware upgrade

@Lee_H

 

Vulnerable to being susceptible to a DNS hijack remotely.

by
EE Employee

Re: Brightbox 2 firmware upgrade

Hi @markysparks68

 

So I can pass the information over to the relevant department do you have any examples of a vulnerabilities.

 

Many thanks,

 

Lee

by markysparks68 Investigator
Investigator

Re: Brightbox 2 firmware upgrade

The relevant vulnerability for my router has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-14491 (as mentioned in an earlier post)

 

There is a heap buffer overflow vulnerability in dnsmasq in the IPv6 router advertisement (RA) handling code. An attacker on the local network segment could send crafted RAs to dns masq which would cause it to crash or, potentially, execute arbitrary code. This issue only affected configurations using one of these options: enable-ra, ra-only, slaac, ra-names, ra-advrouter, or ra-stateless.  

by
EE Employee

Re: Brightbox 2 firmware upgrade

Hi @markysparks68 

 

Thank you for the information.

 

I will pass this over to the relevant team who will look into this.

 

Many thanks,

 

Lee

by markysparks68 Investigator
Investigator

Re: Brightbox 2 firmware upgrade

@Lee_H

 

Much appreciated, thank you.

by
EE Employee

Re: Brightbox 2 firmware upgrade

by chinglog Investigator
Investigator

Re: Brightbox 2 firmware upgrade

Interesting post thank you

I've been following router vulnablities recently which seem to be on the increase & I'm concerned that my BB1 has not updated since:-

 v0.00.14.0001-OT (Wed Jun 24 19:52:22 2015)

So much so that connected two TP-link routers running DD-WRT to BB1 in a Y-configuration separating my IOT devices i.e LG tv, Hue light echo devices from my home computer & personal internet devices 

I believe EE bb are not taking these vulnerabilties serious enough & should be pushing the router manufacturer to push out more regular firmware updates.

Side note all my devices were knock of the internet briefly today.

looking into the system logs of the BB1 recorded:-

09:39:57, 29 Jul. Possible DoS attack detected from 184.105.139.125

 

by
EE Employee

Re: Brightbox 2 firmware upgrade

Hi @chinlog and welcome to the community.

 

I have passed this over to the relevant team also 🙂

 

Many thanks,

 

Lee

by Grand Master
Grand Master

Re: Brightbox 2 firmware upgrade

@chinglog: You are always vulnerable to DDoS attacks. The router has done its job & ignored it.

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
by Jaco_EE Investigator
Investigator

Re: Brightbox 2 firmware upgrade

Ok and what is happening with this.. Avast is still reporting this..do we have a vulnerability with brightbox or NOT

by Grand Master
Grand Master

Re: Brightbox 2 firmware upgrade

@Jaco_EE: Please post evidence of this alleged vulnerability with a link.

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
by Jaco_EE Investigator
Investigator

Re: Brightbox 2 firmware upgrade

The relevant vulnerability for my router has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-14491 (as mentioned in an earlier post)

 

There is a heap buffer overflow vulnerability in dnsmasq in the IPv6 router advertisement (RA) handling code. An attacker on the local network segment could send crafted RAs to dns masq which would cause it to crash or, potentially, execute arbitrary code. This issue only affected configurations using one of these options: enable-ra, ra-only, slaac, ra-names, ra-advrouter, or ra-stateless.  

 

As posted by a previous poster Avast keeps flagging this and EE does not reassure us !!

by Grand Master
Grand Master

Re: Brightbox 2 firmware upgrade

You appear to be quoting verbatim from Security Advisory - Seven vulnerabilities in Google Dnsmasq - Huawei .

 

The BB2 is not manufactured by Huawei but by Arcadyan.

 

Please provide us with a link proving that this vulnerability affects the BB2 or is Avast just guessing it affects all routers?

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
by Jaco_EE Investigator
Investigator

Re: Brightbox 2 firmware upgrade

I don't know whether avast is guessing!! all I know is its product is telling me i have a router security issue. As an EE customer all I want to know is do I have an issue or not ? I am not the only one to have posted on this and so far I have seen no satisfactory reply, From what you say the assumption is I have no problem , hardly satisfactory. Have you or anyone else from EE actually run avast security on a PC with BB2 router ? . If so you should know why I have a concern.

by Grand Master
Grand Master

Re: Brightbox 2 firmware upgrade

@Jaco_EE: No, but I run Norton, which is a leading vulnerability checker. Never once has it raised a peep about the BB2.

 

If you are so worried why don't you go out & buy a generic router from a leading manufacturer like Netgear, which you know has been cleared for this vulnerability?

 

"Why should I", I hear you ask.

 

Well, these ISP routers are made down to a price & are only supplied to users to make it easy to use the ISP's supplied BB product.

 

I can't see you getting any reassurance from EE. They don't actually manufacture them but source them in from a niche Far-East manufacturer who does not publish their vulnerabilities.

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC

Can't find what you're looking for?

One of these options may help you find the answers you need.

Let's get started

Join the EE Community to ask, answer, learn and share.