Surf SOHO MK3 - Firmware 8.4.0

martian_packet · January 17, 2024, 3:31am

About the recent CVE, beside the mitigation of disabling SSH, the recommendation is to upgrade 8.4.0

But support for Surf SOHO was dropped with 8.4.0.

And I need SSH running.

Please advise. Is 8.3.1 planned or it’s a tough luck situation?

martian_packet · January 22, 2024, 2:57am

Pepwave people,

We need an official answer regarding 8.3.0 and it’s security vulnerability. It’s remarkably trivial to jailbreak the unit and observe all passwords stored in amazing plaintext across the config files.

Is 8.4.0 flashable on surf soho yes or no. Simple.

Thank you.

J_J · January 23, 2024, 11:00pm

From the release notes regarding Firmware 8.4.0 - seems official enough:

Further major firmware updates will NOT support the following models. They will receive
Firmware 8.3.x maintenance releases as needed.
Product Hardware Revision
Balance 20 HW7-8
Balance 210 HW2-3
Balance 30 LTE HW1-2
Balance 310 HW2-3
Balance 50 HW1-3
MAX 700 HW1-2
MAX BR1 HW2-3
MAX BR1 HW1
MAX BR1 ESN HW1
MAX BR1 IP55 HW1-3
MAX BR1 IP67 HW1
MAX BR1 M2M HW1-3
MAX BR1 MK2 HW1-3
MAX BR1 Mini HW1-2
MAX BR1 Mini Core HW1-2
MAX BR1 Pro HW2-6
MAX BR1 Slim HW1
MAX BR2 HW2-3
MAX BR2 IP55 HW2-3
MAX HD2 HW1-4
MAX HD2 IP67 HW1
MAX Hotspot HW1
MAX On-The-Go HW2
MAX Transit Mini HW1
SpeedFusion
Engine HW1-2
Surf SOHO HW2
Surf SOHO MK3 HW1
UBR LTE HW1-2

martian_packet · January 27, 2024, 5:03pm

Correct. At the same time:

https://forum.peplink.com/t/peplink-security-advisory-firmware-830-multiple-vulnerabilities-cve-2023-49229-cve-2023-49230/6572aeb8035f027169d492b2/

Products
The vulnerabilities were identified in the Peplink Balance, MAX, MediaFast, Surf SOHO, and FusionHub product families in the firmware version 8.3.0.

Solution
It has been fixed in the firmware version 8.4.0

That communication is confusing for Surf SOHO user and should perhaps say that for this group of user, it’s just too bad.

Hence why I asked clarifications.

J_J · January 27, 2024, 5:41pm

Fair enough. I still reckon even with that vulnerability my old Soho is still more resilient than most mainstream models - ok not completely happy, but I am with you on this - would be nice to know ‘how vulnerable’ we are.
As in - can anyone just dial into my network now?

EDIT
Just looked again and, for me at least but not for you Martian, my SSH is not enabled
(System/Admin Security)

martian_packet · January 27, 2024, 5:52pm

yeah as long as ssh isn’t listening on the WAN ports you are mostly good you trust everyone internally. If you don’t, I would advise you disable ssh completely. If someone gained access to your router, then can get into a busybox shell as root and access the whole configuration, including passwords in clear text, quite easily.

J_J · January 27, 2024, 6:26pm

That is the problem.
I trust my devices - mostly locked down as much as possibly whilst still keeping some function, but can’t really trust the family’s devices.
Always just waiting for the inevitable to happen. However, I’m not a big player, so hopefully if I don’t make eye contact all is fine.

martian_packet · January 27, 2024, 6:53pm

Personally I came to actually like the security hole, this way I can see what’s going on with my low-level software developer eyes, instead of a CPU percent summary which doesn’t tell you what actually takes up all the CPU. But I enable ssh only when I want to perform debugging. Especially useful now that can’t count on any future updates for that device.

I have the same philosophy for any device I purchased, the day the support from the manufacturer ends its the day I can jailbreak it.

J_J · January 27, 2024, 7:22pm

I’m purely an end user. Don’t know what SSH does or how to set up VLAN without detailed idiotproof instructions.

I’m ok with hardware - that is more like meccano so harder to get it wrong. Fine building computer systems but not programming the damned things - and as for networks - the dark arts.

Are you going to go for the B One (silly name) when it comes out?

martian_packet · January 27, 2024, 7:28pm

I’m thinking about it! My 802.11ac infra shows its age. Will depend on its price and availability in Canada…

J_J · January 27, 2024, 7:53pm

Ha - me too. Glad I’m not the only one with the outdated hardware.

martian_packet · January 31, 2024, 11:09pm

Hahaha! you are far from being the only one!

I looked at the B-One specs. I’m tempted I must say. I’m considering my options. If I got with the B-One I’ll likely go with a speed fusion subscription. I need to calculate the TCO.

martian_packet · January 31, 2024, 11:19pm

One concern I have is that Pepwave appears to ‘try’ a stripped down Balance for the SOHO market. Which makes me wonder how much of a ‘first class citizen’ in the product portfolio this is. I don’t want to invest that much in a product with only a few years support lifespan, or a RevB making the original unsupported.

To me the balance series still appears the main line of products getting all the love. I love the idea of a soho product getting the benefits of the love to a smaller scale… as long it’s well supported. I think those with the money should probably go with the Balance serie. It is, however, beyond my budget unless I find it used or refurbished.

So my concern is how much pepwave is interested to that (crowded) market segment vs their enterprise offerings.

Jonathan_Pitts · January 31, 2024, 11:30pm

That’s all changed the replacement soho product is the B one, see this post:
https://forum.peplink.com/t/b-one-impressive-capability-with-incredible-value/65b8378959ec77fcdea34737/