{"id":11115,"date":"2022-10-18T11:21:09","date_gmt":"2022-10-18T08:21:09","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=11115"},"modified":"2022-10-18T11:28:10","modified_gmt":"2022-10-18T08:28:10","slug":"zimbra-cve-2022-41352-itw","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/zimbra-cve-2022-41352-itw\/11115\/","title":{"rendered":"Zimbra’da g\u00fcvenlik a\u00e7\u0131\u011f\u0131"},"content":{"rendered":"

Kaspersky uzmanlar\u0131, Zimbra Collaboration yaz\u0131l\u0131m\u0131nda ge\u00e7ti\u011fimiz g\u00fcnlerde ke\u015ffedilen CVE-2022-41352 g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n, bilinmeyen APT gruplar\u0131nca k\u00f6t\u00fcye kullan\u0131ld\u0131\u011f\u0131n\u0131 ortaya \u00e7\u0131kard\u0131. Bu gruplardan en az biri Orta Asya\u2019da g\u00fcvenlik a\u00e7\u0131\u011f\u0131 bulunan sunuculara sald\u0131r\u0131yor.<\/p>\n

CVE-2022-41352 ne ve neden bu kadar tehlikeli?<\/h2>\n

Bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131, Zimbra Collaboration paketinin bir par\u00e7as\u0131 olan Amavis i\u00e7erik filtresinin kulland\u0131\u011f\u0131 ar\u015fiv a\u00e7maya yard\u0131mc\u0131 olan cpio adl\u0131 programda ke\u015ffedildi. Sald\u0131rganlar, i\u00e7inde bir web-shell (kabuk) bulunan k\u00f6t\u00fc ama\u00e7l\u0131 bir .tar ar\u015fivi olu\u015fturabilir ve bunu, g\u00fcvenlik a\u00e7\u0131\u011f\u0131 olan Zimbra Collaboration yaz\u0131l\u0131m\u0131na sahip bir sunucuya g\u00f6nderebilir. Amavis filtresi bu ar\u015fivi denetlemeye ba\u015flad\u0131\u011f\u0131nda, web-shelli genel dizinlerden birine y\u00f6nlendiren cpio yard\u0131mc\u0131 program\u0131n\u0131 a\u00e7\u0131yor. Bu durumda, sald\u0131rganlar\u0131n sadece web-shelleri \u00e7al\u0131\u015ft\u0131rmalar\u0131 ve sald\u0131r\u0131ya u\u011frayan sunucuda rastgele komut y\u00fcr\u00fctmeleri gerekiyor. Ba\u015fka bir deyi\u015fle, bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131, tarfile mod\u00fcl\u00fcndeki<\/a> g\u00fcvenlik a\u00e7\u0131\u011f\u0131na benziyor.<\/p>\n

G\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n ayr\u0131nt\u0131l\u0131 teknik a\u00e7\u0131klamas\u0131na Securelist\u2019teki g\u00f6nderiden<\/a> ula\u015fabilirsiniz. Ayr\u0131ca uzmanlar\u0131m\u0131z\u0131n ara\u015ft\u0131rd\u0131\u011f\u0131 sald\u0131r\u0131larda, sald\u0131rganlar\u0131n web-shellerini yerle\u015ftirdikleri dizinlerin listesini blog yaz\u0131s\u0131nda bulabilirsiniz.<\/p>\n

Kendinizi koruman\u0131n yollar\u0131<\/h2>\n

14 Ekim\u2019de Zimbra, kurulum talimatlar\u0131yla birlikte bir yama yay\u0131nlad\u0131. G\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan korunmak i\u00e7in al\u0131nacak ilk mant\u0131kl\u0131 ad\u0131m, buradan ula\u015f\u0131labilen<\/a> son g\u00fcncellemeleri y\u00fcklemek. Herhangi bir nedenle bu yamay\u0131 y\u00fckleyemiyorsan\u0131z, ge\u00e7ici bir \u00e7\u00f6z\u00fcm mevcut: Hen\u00fcz cpio\u2019nun yamal\u0131 bir s\u00fcr\u00fcm\u00fc olmasa da g\u00fcvenlik a\u00e7\u0131\u011f\u0131 bulunan bir sunucuya pax yard\u0131mc\u0131 program\u0131 y\u00fckleyerek sald\u0131r\u0131y\u0131 \u00f6nleyebilirsiniz. Bu durumda, Amavis .tar ar\u015fivlerini a\u00e7mak i\u00e7in cpio yerine pax kullanacak. Ancak, bunun ger\u00e7ek bir \u00e7\u00f6z\u00fcm olmad\u0131\u011f\u0131n\u0131 hat\u0131rlatmakta fayda var. Teorik olarak, sald\u0131rganlar cpio\u2019dan yararlanman\u0131n ba\u015fka bir yolunu bulabilirler.<\/p>\n

Bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan dolay\u0131 sald\u0131r\u0131ya u\u011frad\u0131\u011f\u0131n\u0131zdan \u015f\u00fcpheleniyorsan\u0131z veya Securelist<\/a>\u2018teki dizinlerden birinde web-shell ile kar\u015f\u0131la\u015f\u0131rsan\u0131z, uzmanlar\u0131m\u0131z olay m\u00fcdahalesi<\/a> uzmanlar\u0131yla ileti\u015fime ge\u00e7menizi \u00f6neriyor. Sald\u0131rganlar, di\u011fer hizmet hesaplar\u0131na \u00e7oktan eri\u015fmi\u015f veya arka kap\u0131lar kurmu\u015f bile olabilir. Bu durum sald\u0131rganlara, web-shell kald\u0131r\u0131lsa bile sald\u0131r\u0131ya u\u011frayan sisteme yeniden eri\u015fim f\u0131rsat\u0131 veriyor.<\/p>\n

Kaspersky g\u00fcvenlik \u00e7\u00f6z\u00fcmleri<\/a>, CVE-2022-41352 g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan yararlanma giri\u015fimlerini ba\u015far\u0131yla alg\u0131lar ve engeller.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Zimbra Collaboration paketinin kurulu oldu\u011fu sunucularda, sald\u0131rganlar, bir ar\u015fiv a\u00e7ma arac\u0131n\u0131 kullanarak sald\u0131r\u0131 d\u00fczenliyor.<\/p>\n","protected":false},"author":2706,"featured_media":11116,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194,1727],"tags":[493,790,2276],"class_list":{"0":"post-11115","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"category-smb","10":"tag-apt","11":"tag-guvenlik-aciklari","12":"tag-linux"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/zimbra-cve-2022-41352-itw\/11115\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/zimbra-cve-2022-41352-itw\/24763\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/zimbra-cve-2022-41352-itw\/20241\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/zimbra-cve-2022-41352-itw\/27240\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/zimbra-cve-2022-41352-itw\/25091\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/zimbra-cve-2022-41352-itw\/25410\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/zimbra-cve-2022-41352-itw\/27960\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/zimbra-cve-2022-41352-itw\/27264\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/zimbra-cve-2022-41352-itw\/34109\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/zimbra-cve-2022-41352-itw\/45803\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/zimbra-cve-2022-41352-itw\/19622\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/zimbra-cve-2022-41352-itw\/20187\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/zimbra-cve-2022-41352-itw\/29403\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/zimbra-cve-2022-41352-itw\/32656\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/zimbra-cve-2022-41352-itw\/25520\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/zimbra-cve-2022-41352-itw\/31138\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/zimbra-cve-2022-41352-itw\/30844\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/guvenlik-aciklari\/","name":"g\u00fcvenlik a\u00e7\u0131klar\u0131"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/11115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=11115"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/11115\/revisions"}],"predecessor-version":[{"id":11125,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/11115\/revisions\/11125"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/11116"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=11115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=11115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=11115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}