It’s my understanding, based on talking with some Peplink technical support staff on the phone, that Peplink/Pepwave devices use an OS that is based on Linux.
If this is true, why don’t we see firmware releases accompanied by info about what Linux-related CVE IDs were addressed or what Linux kernel version was used in the firmware release? I did a forum-wide search for “linux” and “cve” and the only search result I got back was this one, where those 2 keywords were mentioned by the OP, not Peplink staff.
Is this just Peplink practicing security by obscurity? (That’s not necessarily always a bad thing, so I’m not knocking that here, mind you.)
The Dirty COW vulnerability (CVE-2016-5195), which affects a mind-boggling number of Linux devices [kernel vers. 2.x up to, but not including, 4.8.3] (by letting a local user *easily *gain root privs), was big news just last month (October 2016). Since then, several Linux distros have already released new, fixed versions with the kernel appropriately patched by Torvalds himself. But given the lack of recent, post-October 2016 firmware updates by Peplink/Pepwave, I’m guessing you guys haven’t patched yet… or see no good reason to do so.
While the Dirty COW vulnerability probably isn’t a big issue in and of itself (after all, it requires local access, right?), if a remote hacker takes advantage of that security weakness in conjunction with another known or unknown Linux remote code execution exploit, then leaving flaws like Dirty COW unpatched out of apathy can indeed become a big deal in a hurry!
As a user of Peplink products, my ultimate concern is this: I want your devices to be as hardened as possible so that the likelihood of a miscreant remoting into, say, one of my Peplink routers, and then changing firewall rules or retrieving or clearing device logs… is minimal. Of course, nothing is completely hacker-proof. But it would be extremely foolhardy to leave *known *vulnerabilities unpatched, especially when those patches are *readily *available to you.
Thanks in advance for any official responses from Peplink technical staff or management.