Skip to main content
Biamp Cornerstone

Keeping Tesira Firmware Current: Security, Compatibility, and Downgrade Considerations

This note explains why keeping Tesira and other Biamp product firmware up to date is essential for security, compatibility, and performance.  This note also explains two alternatives to downgrading firmware

Tesira firmware is more than just DSP improvements

Biamp products, and especially Tesira are part of an ever advancing ecosystem of AV products.  Biamp regularly releases firmware updates to address security vulnerabilities, maintain protocol compatibility, and introduce new features. Staying current with these updates ensures your deployment remains secure and interoperable within the broader AV ecosystem.

Recent examples include:

  • Removal of deprecated SSH/HTTPS ciphers and updates to protocols like OpenSSH.
  • Fixes for CVEs (Common Vulnerabilities and Exposures).
  • Updated Dante firmware versions (e.g., upgraded to 4.2.7.4 in Tesira 4.8.1).
  • Improvements to DHCP behavior, including NTP enabled by default.
  • Improvements for large-scale deployments, including better performance with high AVB stream counts and daisy-chained devices.

Biamp also implements new features and improvements to products via firmware updates.  By downgrading or opting not to update, future security issues can arise.

Why downgrading may not be possible

Hardware revisions can prohibit downgrading

Not every system can be downgraded.  There are several points in a product's lifespan where hardware revisions were needed or new product lines added.  In these cases, we reach a minimum firmware version below which the device cannot operate.  Biamp publishes these minimum firmware versions in publicly available release notes.

Here are some examples of recent hardware revisions and the firmware version that they require:

Tesira hardware Minimum Firmware Required
Tesira DSP Rev B 4.2.2
Tesira DSP FORTE (Rackmount) Rev C 4.4.1
Tesira FORTE X Rev C 4.3.1
Tesira FORTE X Rev E 5.5.1

These hardware revisions are not only visible on the box of new hardware, but Tesira software reports the revision as well.  In the screenshot below the hardware revision of the device is highlighted right above the currently loaded firmware. 
clipboard_e857bb4bdecb447e98b8d1f508a4b0b87.png

 

New devices can prohibit a firmware downgrade.

Sometimes, while a DSP may allow for an older version of firmware, new hardware cannot.  These products work with the DSP in a system and cannot operate on a different firmware than the DSP.  

Some recent examples of such updates include:

New Biamp product Minimum Firmware Required
Voltera D amplified loudspeaker controllers 4.9.0
Voltera DM amplified loudspeaker controllers 4.11.0
Tesira EX-USB 4.11.0
Biamp Workplace 5.0.0
Biamp Workplace control 5.7.0

The presence of these products in a system will prohibit a firmware downgrade as it would break the interoperability with the Tesira DSP.

 

What you lose by downgrading

When downgrading or opting not to update firmware, features and improvements are lost.  This also means that any bugs or vulnerabilities in the system are still present Below is a list of risks introduced by downgrading or skipping firmware updates:

  • Re-introducing bugs that were patched previously.
  • Rolling back improvements to products such as improved Launch capability with custom speaker selection.
  • Downgrading protocols like SSH, TLS and HTTPS.
  • Downgrading Dante firmware (on applicable devices).
  • Loss of support for new features like Workplace command which is within Biamp Workplace.
  • Biamp is unable to fully support a device not on current firmware.  Updating firmware will be treated as a first step in troubleshooting any field-reported problems

Alternatives to downgrading firmware

The most common reason customers request a downgrade is an SSH version mismatch.  As the DSP is updated to patch a vulnerability, the control device must be updated to follow suit.  If not, then the devices do not establish a connection and the outward behavior is that device control ceases. This is not a DSP hardware fault — it is a version mismatch between the control device and the updated SSH implementation on the DSP. Here's how to resolve it without downgrading:

  1. Update the SSH version on the device set to control the DSP.  That way both the control devices (e.g., Crestron or Extron) and the Tesira DSP can both have the security patches that come with the update and retain communication.
  2. Convert your Tesira control to telnet, rather than giving up bug fixes and added features. Tesira supports both SSH and telnet protocols for control and telnet, while less secure than SSH, is still an option for many installs, where security is less of a concern.

Other times, a firmware downgrade may be used to test for feature regressions or to test third-party integrations.  Those should be thought of as temporary tests and as testing, not permanent solutions.

Related links for security and Tesira

For further reading on Tesira networking and security, see the following articles:

Final summary

Biamp recommends running the latest available firmware. Where constraints exist, we recommend staying as current as your environment allows.  

  • Was this article helpful?