Security bulletins
This page lists security recommendations given by Yandex.Cloud experts.
20.09.2020: CVE-2020-1472 (aka Zerologon)
Description
A flaw in Windows Netlogon Remote Protocol allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services.
Original report from Secura: Zerologon.
Microsoft advisory: CVE-2020-1472.
Microsoft guide on change management : How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472.
Impact on Yandex.Cloud services
The OS images available to Yandex Compute Cloud are already contain all the necessary patches. However, the new VMs created in Yandex Compute Cloud are not vulnerable to those vulnerabilities.
Mitigation Techniques
In addition to the patches you can implement and enforce network access control so that your DC is not accessible from untrusted networks. This can be achieved by:
- setting up Windows Firewall or Security Groups;
- putting your DC under a NAT-gateway.
15.06.2020: Special Register Buffer Data Sampling Attack (aka CrossTalk)
Description
On certain Intel CPU models, VUSec detected a new attack called Special Register Buffer Data Sampling Attack (or CrossTalk). During this attack, a malicious process can get the results returned by the RDRAND and RDSEED instructions from another process, even when the malicious and legitimate processes run on different physical CPU cores. The attack is assigned the ID CVE-2020-0543.
Intel's report: Deep Dive: Special Register Buffer Data Sampling.
Impact on Yandex.Cloud services
Yandex.Cloud uses CPU models that are not vulnerable to CrossTalk attacks.
28.08.2019: TCP SACK
Description
Netflix experts found three vulnerabilities in the Linux kernel:
Original report from Netflix: NFLX-2019-001.
Vulnerability analysis from Red Hat: TCP SACK PANIC.
Impact on Yandex.Cloud services
- The Yandex.Cloud infrastructure was promptly protected and updated.
- The OS images available to Yandex Compute Cloud users were updated as soon as the appropriate fixes became available. Therefore, the new VMs created in Yandex Compute Cloud are not vulnerable to those vulnerabilities.
19.08.2019: Some Yandex Object Storage domains are included in the Public Suffix List
Description
List of domains included in Public Suffix List:
- yandexcloud.net
- storage.yandexcloud.net
- website.yandexcloud.net
Domains in the Public Suffix List get the properties of top-level domains, such as .ru or .com:
- Browsers won't save the cookies set for the listed domains.
- Browsers won't let anyone change the page's
Originrequest headers to root domains.
For more information, see our blog.
Impact on Yandex.Cloud services
These changes will improve the security of Yandex.Cloud users.