Easergy PRO - Third party software components

ControlSystemSoftware · ‎2023-11-13

Easergy Pro makes use of third party software components of which some have existing security vulnerabilities. Winpcap is also not supported anymore.

Easergy Pro third party software Components with vulnerabilities / not supported for security patches:

Software component	Version	Release date	Latest version	Latest version release date	Notes	Security vulnerabilities
Winpcap driver	4.1.3	2013	4.1.3	2013	Industry recommendation is to migrate to a supported version of Npcap [https://www.winpcap.org/]	No patches or support provided
Apache log4net for .NET 4.5	2.0.8	2017	2.0.15	2022	Industry recommendation to migrate to supported version. The installed version has a critical severity security vulnerability [https://www.nuget.org/packages/log4net/2.0.8]	https://github.com/advisories/GHSA-2cwj-8chv-9pp9
					https://nvd.nist.gov/vuln/detail/CVE-2018-1285
JSON.Net	12.0.3.23909	2019	13.0.3	2023	The installed version has a high severity security vulnerability	https://github.com/advisories/GHSA-5crp-9r3c-p9vr
SharpCompress	0.25.1	2020	0.34.1	2023	The installed version has a medium severity security vulnerability [https://www.nuget.org/packages/SharpCompress/0.25.0]	https://github.com/advisories/GHSA-jp7f-grcv-6mjf
SSH.NET .NET4.0	2016.1.0	2017	2020.0.2	2020	The installed version has a medium severity security vulnerability [https://www.nuget.org/packages/SSH.NET/2016.1.0]	https://github.com/advisories/GHSA-72p8-v4hg-v45p

May I ask if it would be possible to confirm the following:

Is Winpcap required or can the software be used for protection relay programming without Winpcap?
Is it possible to use nPcap instead of Winpcap?
Are there any plans to update Easergy Pro to use supported version of the above mentioned software components that have security vulnerabilities fixed? If so, would it be possible to share a target date?

CraigEl · ‎2023-11-14

@ControlSystemSoftware I suggest that you contact your local Schneider Electric Customer Care center to get assistance with this query. It doesn't sound like something that should be discussed in a semi open forum such as this.

https://www.se.com/au/en/work/support/customer-care/contact-schneider-electric.jsp

CraigEl · ‎2023-11-14

I see that you have made a request to Customer Care previously that seems to have been miss-assigned by the system. I have hopefully added enough information to the case so that the correct team in Australia will pick it up and respond to you.

CraigEl · ‎2023-11-14

Alternatively you may want to go to Cybersecurity support portal where you can find known vulnerabilities and mitigations, or report a vulnerability.

https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp

CraigEl · ‎2023-11-15

@ControlSystemSoftware I took a look at your case in our Customer Care system and it seems to have gained some traction following my changes. It has progressed to the Expert Support team responsible for the product and hopefully you'll get an answer soon.

ControlSystemSoftware · ‎2023-11-23

Thank you - much appreciated.