Not just about Dirty COW... but more about Peplink transparency about product security in general


#1

Hello there!

It’s my understanding, based on talking with some Peplink technical support staff on the phone, that Peplink/Pepwave devices use an OS that is based on Linux.

If this is true, why don’t we see firmware releases accompanied by info about what Linux-related CVE IDs were addressed or what Linux kernel version was used in the firmware release? I did a forum-wide search for “linux” and “cve” and the only search result I got back was this one, where those 2 keywords were mentioned by the OP, not Peplink staff.

Is this just Peplink practicing security by obscurity? (That’s not necessarily always a bad thing, so I’m not knocking that here, mind you.)

The Dirty COW vulnerability (CVE-2016-5195), which affects a mind-boggling number of Linux devices [kernel vers. 2.x up to, but not including, 4.8.3] (by letting a local user *easily *gain root privs), was big news just last month (October 2016). Since then, several Linux distros have already released new, fixed versions with the kernel appropriately patched by Torvalds himself. But given the lack of recent, post-October 2016 firmware updates by Peplink/Pepwave, I’m guessing you guys haven’t patched yet… or see no good reason to do so.

While the Dirty COW vulnerability probably isn’t a big issue in and of itself (after all, it requires local access, right?), if a remote hacker takes advantage of that security weakness in conjunction with another known or unknown Linux remote code execution exploit, then leaving flaws like Dirty COW unpatched out of apathy can indeed become a big deal in a hurry!

As a user of Peplink products, my ultimate concern is this: I want your devices to be as hardened as possible so that the likelihood of a miscreant remoting into, say, one of my Peplink routers, and then changing firewall rules or retrieving or clearing device logs… is minimal. Of course, nothing is completely hacker-proof. But it would be extremely foolhardy to leave *known *vulnerabilities unpatched, especially when those patches are *readily *available to you.

Thanks in advance for any official responses from Peplink technical staff or management.

Best,

Roberto Broccoli


#2

Hi Roberto,
I’ll leave a current member of staff to answer your questions specifically / directly, but as a former Peplink staff member I’d thought I’d share my observations / thoughts.

Peplink has one of the most internally active public forums of any vendor I have ever seen, with everyone from senior management through to the developers and even admin staff encouraged (and indeed expected) to take an active role on the forum. As such I know that this post will very likely been seen and discussed by the marketing team, by the product management team, by the software and hardware engineering teams and by the customer support staff.

Combating vulnerabilities as they are discovered, announced and identified online (both online in general and here in the forum specifically) comes above everything else in the business, and I have witnessed first hand how quickly Peplink moves to resolve any issues of this type. I’m confident you will get an update from the software team on Dirty Cow in this thread shortly.

Is Peplink as transparent as other vendors about this type of activity - yes and no. Whilst its true that there is not a single official page you can visit to see a list of vulnerabilities and their affect / status relative to Peplink hardware, they do make it clear when a vulnerability has been addressed by a firmware release - for example the release notes for fw 6.2 very clearly state that it addresses SSLv3 POODLE Vulnerability (CVE-2014-3566), and of course as you might expect, announcements are made here on the forum about vulnerabilities too. They are just perhaps not very easy to find.

As for security by obscurity - yes I believe this to be an active (and sensible) practice at Peplink, but like any good holistic approach to security it is only one of many tools in use, and not relied on as the main method of securing the products.

Peplink works hard to secure both its products and its intellectual property around its core technologies for both obvious commercial - and perhaps less obvious technical / security reasons. If you do a search on here you’ll find a good number of threads requesting true SSH/CLI access to the devices (the CLI is heavily restricted and generally read only), many see the lack of device level terminal access as an unnecessary restriction (with very valid reasons for wanting access to the terminal for remote monitoring etc) but it is also actually a very good defence against device level attacks as if there is no ‘normal’ or ‘easy’ way to get to a shell, the attack vectors are considerably reduced.

As a network engineer who relies on Peplink devices for both my own networks and those of my customers, and as a former Peplink engineer who has seen this from ‘the inside’, I am extremely confident that Peplink actively hardens its devices using industry best practices and proactively searches out and addresses security vulnerabilities as and when they arise.
I also know from first hand experience that when a new vulnerability is discovered, addressing it has the highest priority over any other activity in the business, and that when security researchers approach Peplink with any new discovery - not only do they find it surprisingly easy to get the attention of the highest levels of management, but they are also treated with the professional respect they deserve and given direct access to senior engineering teams to enable rapid issue resolution.

That said, I do think that Peplink ought to have a security bulletin page or forum section that consolidates security announcements - and perhaps they will consider it in the near future.


#3

Hello Martin!

Thank you for taking the time to write such a thoughtful and thorough reply. It was heartening to read such words, particularly as you used to work at Peplink as a solution architect.

As to how soon (or whether at all!) current Peplink management or technical staff will say something about this officially on record, I won’t hold my breath. But if this thread (and others like it) stimulates internal discussions at Peplink about how to better address security concerns and consolidate security announcements (as you mentioned), Peplink customers will be the eventual beneficiaries.

Best,

Roberto Broccoli


#4

Hello Roberto,

Thank you for raising this.
First we’d like to assure that you have nothing to worry about.
None of our devices are affected by Dirty COW vulnerability (CVE-2016-5195). While there are Linux components, we don’t have any local accounts (as you correctly said) so that is one factor.

To add to what Martin said, here at Peplink we do take transparency / disclosure and security very seriously and work continuously to secure our devices. We have always made it our policy to disclose the status of known and affected vulnerabilities to our customers and the general public here on the forum, our social media channels, newsletters, release notes, knowledgebase and so on, as well as to CERT.

We certainly appreciate your feedback and will look to improve our communication e.g. consolidated security bulletins.

For now, the easiest way for you to see our security related announcements is in the Announcements section of the forum.

https://forum.peplink.com/forums/20-Announcements


#5

Hello Eric,

Good to know! And yes, consolidating all your security bulletins would be an improvement.

Thank you for replying so quickly to this the other day.

Best,

Roberto Broccoli