Roos Instruments is aware and has been closely monitoring the developments of the Meltdown and Spectre vulnerability. The RI8574A EPC for Cassini includes a Intel CPU and an embedded OS based on OS/2 Platform that are likely affected. The RIK0126A Virtual Workstation and Guru Server software can be run in the cloud, virtually or on physical hardware are also affected.
Status: Pending Updates (not yet available)
Risk Level: Low (malware must target OS/2 platform)
Roos Instruments has identified that all CASSINI RI8574 EPC TIMs, Virtual Workstations, Guru Enterprise Servers, Guru Servers and eManuals (Apple iPads) may be impacted by this issue. We recommend that our customers evaluate their systems for this vulnerability and to take immediate action to remediate as OS, VirtualBox or VMWare patches become available. If Guru Server is installed on an affected Linux operating system (OpenSuSE, xUbuntu), please follow the procedures to apply security updates. Since these installations are typically not accessible to the public internet and are protected by multiple layers of physical and network security, although the issue is urgent in both priority and severity the actual risk is very low.
As for Roos Instruments, we are taking the necessary steps to mitigate any risk associated with this flaw as soon as possible. Roos Instruments is preparing to update all servers that are exposed to the public internet and will verify that these systems are no longer affected once a patch is available.
For Guru Server, the performance impact of these patches can be avoided by disabling page table isolation, but it is NOT recommended.
For EPC and Virtual Workstations based on OS/2, eComStation, and ArcaOS operating systems, apply updates to Firefox and hardware firmware updates (as made available). Otherwise, use network access controls to restrict access to HTTPS/HTTP (TCP port 443/80) from vulnerable systems.
RI8574A EPC Firmware: Intel, ASRock - TBD, OS: eComStation 4 or ArcaOS 5 - TBD
OS/2 Platform vulnerability: OS/2 - untested, eComStation - untested, ArcaOS - vulnerable, ArcaOS Policy Statement
OS/2 Web Browser: Firefox does not include the timing precision necessary for practical attacks. (Source)
Guru Server, common Linux OS Update commands:
- Ubuntu/xUbuntu: "sudo apt-get update"
- OpenSuSE: "zypper patch"
- CentOS, Redhat: "sudo yum update"
- Guru Enterprise Server on Xubuntu 14.04 LTS Configuration Procedures
- US-CERT and NIST provide a vulnerability summary in the National Vulnerability Database, including known vulnerable software and versions
- https://meltdownattack.com/ is a public site developed by Graz University of Technology with tools and information.