After a quite a few comments left here and there on various posts, I can’t seem to find an answer to what I’d imagine to be a fairly straightforward question.
Simply put: Are Peplink products that are now considered “Legacy” as per this post set to receive continuous security updates despite them not being upgradeable to 8.4?
When asked, a Peplink Representative appeared to assure that legacy models were set to receive some sort of maintenance/security updates despite not receiving the latest releases going foward. They even linked to this page which seems to reinforce their comment. So, why is it that we are 6 months removed from the initial notification of a vulnerability, and there has been no “patch” to address this issue on legacy products?
The vulnerability stated here, again, a little over six months ago highlights a need to mitigate an issue affecting most Peplink products. Promises are made that this vulnerability will be addressed in a future release. The 8.4 launch is here and official but there has been zero mention of any sort of 8.3.X release for “Legacy” models that would address these security issues.
Hi Jon - thank you for raising this question its an important one to get a clear answer on.
Yes they are. The only limitation on this is when a security fix requires a fundamental OS level change (like an upgrade to the latest Linux Kernel) where the older hardware platforms are not capable of supporting the change.
In the case of this specific vulnerability, identified Peplink models that can only be upgraded to 8.3 series are running older kernels.
These models do not have enough resources to upgrade the kernel to the same level as later devices that have been patched. For other vulnerabilities which do not require kernel upgrade, we will expect to have new 8.3.x firmware with security updates.
It did take a moment or two for us to see the fix for this made available you’re right. It is now included in 8.4 / 3.9.3 firmware for MAX/Balance/APs. as you noted.
On high risk security issues Peplink has a history of being very fast to release patches / fixes.
In this instance the response took longer but to be fair there were more moving parts here than usual since a key change needed was the Kernel upgrade.
Peplink needed to wait for multiple SoC OEMs to release their patches before they could then patch the individual Peplink device firmwares
Although the time taken wasn’t ideal, considering most vendors assessed the vulnerability as low risk I do think it was acceptable. Especially with the delays involved in sourcing kernel patches from chip the underlying makers.
What is less acceptable is the lack of communication throughout and I have raised that with the engineering team as an area that requires improvement.
First I would like to state that I am very appreciative of your response.
It is unfortunate that legacy models are unable to receive the aforementioned patch due to hardware limitations. With that said, it is good to know that security updates will be applied to legacy models should they not require the latest kernel. I guess this is par for the course as far as the tech industry at large goes; hardware becomes obsolete at some point. There is not much to say beyond that.
I appreciate Peplink taking the time to get an update right. I don’t want to come off as if saying “6 months is too long”. Rather, I meant to say 6 months with little correspondence on top of the lack of communication for legacy models is what I find hard to accept. With that said, I’m glad to hear Peplink aimes for a stable and secure firmware release.
This.
Like I have stated before - and not to sound like a broken record - I am appreciative of your response, though it’d be nice if Peplink could clarify security updates and their relation to legacy products. Hunting down a response to this on a forum is not ideal, and would be better suited on a dedicated page; perhaps even a revamp to the current legacy products page. All in all, I think the community Peplink has is solid based on what I see from lurking here occasionally, and I’m sure you all at Peplink are aware of that as well. With that said, I’d say the transparency around this topic in particular needs improvement like you’ve already acknowledged. With discussions of a new SOHO product being targeted toward consumers, personally, I would like to see a similar level of communication moving forward with respects to updates/hardware expectations should this device be close on the horizon.
Thanks for raising this @Jon_Stewart8282 and @MartinLangmaid for the respectful reply. I’d like to reiterate Jon’s last post on improving the transparency on support for legacy products such as the Surf Soho. I’m not sure how much these lower end models contribute to the company’s bottom line but the way a company treats it’s lower value customers (such as by how well they keep them informed/updated) does reflect a more general attitude towards its customer base. Furthermore, those who buy these lower end models may not always be lower end model buyers in the future, and if the company is less than supportive towards these customers (whether it be by not providing as timely security updates for legacy hardware etc.) then they risk losing that customer permanently to competitors who can provide the high value security that I think Peplink has a solid niche for currently…
Some lingering questions I have after reading these few posts:
Where can we see the currently known bugs/security issues affecting legacy models. I own the Surf Soho MkIII and so am particularly interested in any security issues that have been patched by 8.4.0, but for which no fixes in the form of an 8.3.x have been released for the Surf Soho, for example.
When is the next firmware update for the Surf Soho (and other legacy models) going to be released?
When is the replacement for the Surf Soho going to be made available for purchase, and when will any details about it be provided?
Any advice on these above questions would be appreciated - particularly in the context of owning a now legacy product…