Security bulletins
Below are security bulletins compiled by Yandex.Cloud engineers.
15.06.2020 — Special Register Buffer Data Sampling Attack (aka CrossTalk)
Description
A new Special Register Buffer Data Sampling Attack (aka CrossTalk) has been disclosed in a white paper by VUSec company. The attack allows to leak values generated by RDRAND and RDSEED instructions by malicious code running on a CPU core other than the code using those instructions. The attack was assigned a CVE number CVE-2020-0543.
Intel report: Deep Dive: Special Register Buffer Data Sampling.
Yandex.Cloud services impact
According to the Intel's Security Advisory the both types of CPU used in Yandex Cloud are not vulnerable for the attack.
28.08.2019 — TCP SACK
Description
There are three TCP vulnerabilities in Linux kernel disclosed by Netflix:
Original Netflix report: NFLX-2019-001.
Comprehensive vulnerabilities analysis by Red Hat: TCP SACK PANIC.
Yandex.Cloud services impact
- Yandex.Cloud infrastructure was patched immediately.
- Public VM images available to Yandex Cloud Compute users were updated as soon as the corresponding fixes became available. New virtual machines created in Yandex Compute Cloud are not affected by the listed vulnerabilities.
19.08.2019 — Several Yandex.Cloud domains were added to the Public Suffix List
Description
The following Yandex.Cloud domains were added to the Public Suffix List:
- yandexcloud.net
- storage.yandexcloud.net
- website.yandexcloud.net
Domains in the Public Suffix List gain properties of top-level domains such as .ru or .com:
- browsers don't set cookies on the listed domains,
- browsers don't allow changing the
Originheader of the page to the root domains.
More information can be found in our blog post (in Russian).
Yandex.Cloud services impact
This will improve security and isolation for Yandex.Cloud customers.