{"id":10204,"date":"2021-10-28T11:02:16","date_gmt":"2021-10-28T08:02:16","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=10204"},"modified":"2021-10-28T11:08:18","modified_gmt":"2021-10-28T08:08:18","slug":"uaparser-js-infected-versions","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/uaparser-js-infected-versions\/10204\/","title":{"rendered":"Pop\u00fcler JavaScript paketi UAParser.js&#8217;ye k\u00f6t\u00fc ama\u00e7l\u0131 kod yerle\u015ftirildi"},"content":{"rendered":"<p>Kimli\u011fi belirsiz sald\u0131rganlar, pop\u00fcler bir JavaScript k\u00fct\u00fcphanesi olan UAParser.js\u2019nin baz\u0131 s\u00fcr\u00fcmlerine k\u00f6t\u00fc ama\u00e7l\u0131 kod yerle\u015ftirerek g\u00fcvenli\u011fini ihlal ettiler. <a href=\"https:\/\/www.npmjs.com\/package\/ua-parser-js\" target=\"_blank\" rel=\"noopener nofollow\">Geli\u015ftiriciler sayfas\u0131ndaki istatistiklere<\/a> g\u00f6re bir\u00e7ok projede, her hafta 6 ila 8 milyon kez indirme yap\u0131lan bu k\u00fct\u00fcphane kullan\u0131l\u0131yor.<\/p>\n<p>K\u00fct\u00fcphanenin 0.7.29, 0.8.0 ve 1.0.0 versiyonlar\u0131n\u0131n g\u00fcvenli\u011fi k\u00f6t\u00fc niyetli ki\u015filer taraf\u0131ndan ihlal edildi. Bu y\u00fczden t\u00fcm kullan\u0131c\u0131lar\u0131n ve sistem y\u00f6neticilerinin m\u00fcmk\u00fcn olan en k\u0131sa s\u00fcrede kulland\u0131klar\u0131 k\u00fct\u00fcphane s\u00fcr\u00fcmlerini 0.7.30, 0.8.1 ve 1.0.1 s\u00fcr\u00fcmlerine g\u00fcncellemesi gerekiyor.<\/p>\n<h2>Peki nedir bu UAParser.js ve neden bu kadar pop\u00fcler?<\/h2>\n<p>JavaScript kullanan geli\u015ftiriciler, taray\u0131c\u0131lar\u0131n g\u00f6nderdi\u011fi kullan\u0131c\u0131 arac\u0131s\u0131 (User-Agent) verileri ayr\u0131\u015ft\u0131rmak i\u00e7in UAParser.js k\u00fct\u00fcphanesini kullan\u0131yor. S\u00f6z konusu k\u00fct\u00fcphanenin bir\u00e7ok internet sitesinde uygulanmas\u0131n\u0131n yan\u0131 s\u0131ra Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla ve daha bir \u00e7ok \u015firket taraf\u0131ndan yaz\u0131l\u0131m geli\u015ftirme s\u00fcrecinde de kullan\u0131l\u0131yor. Dahas\u0131, baz\u0131 yaz\u0131l\u0131m geli\u015ftiriciler, kod testi i\u00e7in yine bu k\u00fct\u00fcphaneye ba\u011fl\u0131 olan Karma \u00e7er\u00e7evesi gibi \u00fc\u00e7\u00fcnc\u00fc taraf ara\u00e7lardan faydalan\u0131yor ve tedarik zincirine bir ba\u011flant\u0131 daha ekleyerek sald\u0131r\u0131n\u0131n \u00f6l\u00e7e\u011fini b\u00fcy\u00fct\u00fcyor.<\/p>\n<h2>K\u00f6t\u00fc ama\u00e7l\u0131 kodun giri\u015fi<\/h2>\n<p>Sald\u0131rganlar, k\u00f6t\u00fc ama\u00e7l\u0131 kodlar\u0131 hem Linux hem de Windows\u2019ta kurbanlar\u0131n bilgisayar\u0131na indirmek ve y\u00fcr\u00fctmek i\u00e7in k\u00fct\u00fcphaneye k\u00f6t\u00fc ama\u00e7l\u0131 komut dosyalar\u0131 yerle\u015ftirdi. Mod\u00fcllerden birinin amac\u0131 kripto para madencili\u011fi yapmakt\u0131. \u0130kincisi ise (yaln\u0131zca Windows i\u00e7in olan mod\u00fcl) taray\u0131c\u0131 \u00e7erezlerini, parolalar\u0131 ve i\u015fletim sistemi kimlik bilgileri gibi gizli bilgileri \u00e7alabiliyordu.<\/p>\n<p>Ayr\u0131ca yapabildikleri bunlarla da s\u0131n\u0131rl\u0131 de\u011fildi: ABD Siber G\u00fcvenlik ve Altyap\u0131 Koruma Ajans\u0131\u2019n\u0131n (CISA) yapt\u0131\u011f\u0131 <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/10\/22\/malware-discovered-popular-npm-package-ua-parser-js\" target=\"_blank\" rel=\"noopener nofollow\">uyar\u0131ya<\/a> g\u00f6re g\u00fcvenli\u011fi ihlal edilmi\u015f k\u00fct\u00fcphanelerin y\u00fcklenmesi, sald\u0131rganlara, k\u00f6t\u00fc ama\u00e7l\u0131 kodun bula\u015ft\u0131\u011f\u0131 sistemlerin kontrol\u00fcn\u00fc ele ge\u00e7irme imkan\u0131 da sunuyor.<\/p>\n<p><a href=\"https:\/\/github.com\/faisalman\/ua-parser-js\/issues\/536\" target=\"_blank\" rel=\"noopener nofollow\">GitHub kullan\u0131c\u0131lar\u0131na<\/a> g\u00f6re k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m, Linux\u2019ta jsextension ve Windows\u2019ta jsextension.exe ad\u0131nda ikili (binary) dosyalar olu\u015fturuyor. Bu dosyalar\u0131n varl\u0131\u011f\u0131, a\u00e7\u0131k bir \u015fekilde sistem g\u00fcvenli\u011finin ihlal edildi\u011fini g\u00f6steriyor.<\/p>\n<h2>K\u00f6t\u00fc ama\u00e7l\u0131 kod UAParser.js k\u00fct\u00fcphanesine nas\u0131l s\u0131zd\u0131?<\/h2>\n<p>UAParser.js projesinin geli\u015ftiricisi Faisal Salman\u2019\u0131n <a href=\"https:\/\/github.com\/faisalman\/ua-parser-js\/issues\/536#issuecomment-949742904\" target=\"_blank\" rel=\"noopener nofollow\">belirtti\u011fine g\u00f6re<\/a> kimli\u011fi belirsiz bir sald\u0131rgan, kendisinin npm deposundaki hesab\u0131na eri\u015fim sa\u011flad\u0131 ve UAParser.js k\u00fct\u00fcphanesinin \u00fc\u00e7 k\u00f6t\u00fc ama\u00e7l\u0131 s\u00fcr\u00fcm\u00fcn\u00fc yay\u0131nlad\u0131. Geli\u015ftirici, g\u00fcvenli\u011fi ihlal edilmi\u015f paketlere hemen bir uyar\u0131 ekledi ve npm destek ekibiyle ileti\u015fime ge\u00e7erek tehlikeli s\u00fcr\u00fcmlerin bir an \u00f6nce kald\u0131r\u0131lmas\u0131n\u0131 sa\u011flad\u0131. Ancak yine de kald\u0131r\u0131lmadan \u00f6nce \u00e7ok say\u0131da makinenin bu paketleri indirmi\u015f olmas\u0131 muhtemel.<\/p>\n<p>G\u00f6r\u00fcn\u00fc\u015fe g\u00f6re s\u00f6z konusu s\u00fcr\u00fcmler d\u00f6rt saatten uzun bir s\u00fcre boyunca, Avrupa saatiyle 22 Ekim 14:15 ila 18:23 aras\u0131nda eri\u015filebilir halde kald\u0131. Ak\u015fam \u00fczeri geli\u015ftirici gelen kutusunda ola\u011fand\u0131\u015f\u0131 bir spam etkinli\u011fi fark etti \u2014 kendisini \u015f\u00fcpheli etkinlik konusunda uyaran\u0131n bu oldu\u011funu s\u00f6yl\u00fcyor \u2014 ve sorunun temel nedenini ke\u015ffetti.<\/p>\n<h2>K\u00f6t\u00fc ama\u00e7l\u0131 kod bula\u015fan k\u00fct\u00fcphaneleri indirdiyseniz ne yapmal\u0131s\u0131n\u0131z?<\/h2>\n<p>\u0130lk ad\u0131m, bilgisayarlarda k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m olup olmad\u0131\u011f\u0131n\u0131 kontrol etmektir. Sald\u0131r\u0131da kullan\u0131lan k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n t\u00fcm bile\u015fenleri \u00fcr\u00fcnlerimiz taraf\u0131ndan ba\u015far\u0131l\u0131 bir \u015fekilde tespit edilir.<\/p>\n<p>Ard\u0131ndan k\u00fct\u00fcphanelerinizi yama yap\u0131lm\u0131\u015f 0.7.30, 0.8.1 ve 1.0.1 s\u00fcr\u00fcmlerine g\u00fcncelleyin. Ancak bu da yeterli de\u011fildir: <a href=\"https:\/\/github.com\/advisories\/GHSA-pjwm-rvh2-c87w\" target=\"_blank\" rel=\"noopener nofollow\">\u00d6nerilen<\/a>, k\u00f6t\u00fc ama\u00e7l\u0131 kod bulunan bir k\u00fct\u00fcphane s\u00fcr\u00fcm\u00fcn\u00fcn y\u00fcklendi\u011fi veya y\u00fcr\u00fct\u00fcld\u00fc\u011f\u00fc herhangi bir bilgisayar\u0131n, g\u00fcvenli\u011fi tamamen ihlal edilmi\u015f olarak kabul edilmesidir. Bu nedenle, kullan\u0131c\u0131lar\u0131n ve y\u00f6neticilerin bu bilgisayarlarda kullan\u0131lan t\u00fcm kimlik bilgilerini de\u011fi\u015ftirmesi gerekir.<\/p>\n<p>Genelde geli\u015ftirme veya derleme ortamlar\u0131, tedarik zinciri sald\u0131r\u0131lar\u0131 d\u00fczenlemeye \u00e7al\u0131\u015fan sald\u0131rganlar i\u00e7in uygun hedeflerdir. Bu da, bu t\u00fcr ortamlarda acilen <a href=\"https:\/\/www.kaspersky.com.tr\/enterprise-security\/devops-security?icid=tr_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m korumas\u0131<\/a> kullan\u0131lmas\u0131 gerekti\u011fi anlam\u0131na gelir.<\/p>\n<p><strong><input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-b2b\"><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>D\u00fcnya \u00e7ap\u0131nda on milyonlarca bilgisayarda y\u00fckl\u00fc Npm paketi UAParser.js&#8217;ye parola \u00e7alan bir yaz\u0131l\u0131m ve madencilik yaz\u0131l\u0131m\u0131 yerle\u015ftirildi. \u0130\u015fte yapman\u0131z gerekenler.<\/p>\n","protected":false},"author":700,"featured_media":10205,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1351],"tags":[2490,2276,1170,2491,2492,1525,1611,113],"class_list":{"0":"post-10204","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-javascript","9":"tag-linux","10":"tag-macos","11":"tag-madencilik-yazilimlari","12":"tag-parola-calan-yazilimlar","13":"tag-parolalar","14":"tag-tedarik-zinciri","15":"tag-windows"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/uaparser-js-infected-versions\/10204\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/uaparser-js-infected-versions\/23525\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/uaparser-js-infected-versions\/19009\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/uaparser-js-infected-versions\/25614\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/uaparser-js-infected-versions\/23678\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/uaparser-js-infected-versions\/23186\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/uaparser-js-infected-versions\/26330\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/uaparser-js-infected-versions\/25871\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/uaparser-js-infected-versions\/31787\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/uaparser-js-infected-versions\/42700\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/uaparser-js-infected-versions\/17993\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/uaparser-js-infected-versions\/18359\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/uaparser-js-infected-versions\/15441\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/uaparser-js-infected-versions\/27646\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/uaparser-js-infected-versions\/31874\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/uaparser-js-infected-versions\/27775\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/uaparser-js-infected-versions\/24517\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/uaparser-js-infected-versions\/29877\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/uaparser-js-infected-versions\/29679\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/tedarik-zinciri\/","name":"tedarik zinciri"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10204","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/700"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=10204"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10204\/revisions"}],"predecessor-version":[{"id":10209,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10204\/revisions\/10209"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/10205"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=10204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=10204"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=10204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}