{"id":2635,"date":"2023-01-28T16:43:15","date_gmt":"2023-01-28T16:43:15","guid":{"rendered":"https:\/\/sunucucozumleri.com\/?p=2635"},"modified":"2023-01-28T16:43:15","modified_gmt":"2023-01-28T16:43:15","slug":"windows-cryptoapide-kritik-bir-kimlik-sahtekarligi-guvenlik-acigi-kullanma-windows-sunucu-kullananlarin-dikkatine","status":"publish","type":"post","link":"https:\/\/sunucucozumleri.com\/blog\/windows-cryptoapide-kritik-bir-kimlik-sahtekarligi-guvenlik-acigi-kullanma-windows-sunucu-kullananlarin-dikkatine\/","title":{"rendered":"Windows CryptoAPI&#8217;de Kritik Bir Kimlik Sahtekarl\u0131\u011f\u0131 G\u00fcvenlik A\u00e7\u0131\u011f\u0131 Kullanma &#8211; Windows Sunucu Kullananlar\u0131n Dikkatine"},"content":{"rendered":"<p><span>Tomer Peled ve Yoni Rozenshein taraf\u0131ndan<\/span><\/p>\n<p><span>Tricia Howard&#8217;\u0131n editoryal ve ek katk\u0131lar\u0131<\/span><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Makale \u0130\u00e7eri\u011fi<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"\u0130\u00e7indekiler Tablosunu A\u00e7\/Kapat\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/sunucucozumleri.com\/blog\/windows-cryptoapide-kritik-bir-kimlik-sahtekarligi-guvenlik-acigi-kullanma-windows-sunucu-kullananlarin-dikkatine\/#Yonetici_Ozeti\" >Y\u00f6netici \u00d6zeti<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/sunucucozumleri.com\/blog\/windows-cryptoapide-kritik-bir-kimlik-sahtekarligi-guvenlik-acigi-kullanma-windows-sunucu-kullananlarin-dikkatine\/#Arka_plan\" >Arka plan<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/sunucucozumleri.com\/blog\/windows-cryptoapide-kritik-bir-kimlik-sahtekarligi-guvenlik-acigi-kullanma-windows-sunucu-kullananlarin-dikkatine\/#Guvenlik_acigi_ayrintilari\" >G\u00fcvenlik a\u00e7\u0131\u011f\u0131 ayr\u0131nt\u0131lar\u0131<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/sunucucozumleri.com\/blog\/windows-cryptoapide-kritik-bir-kimlik-sahtekarligi-guvenlik-acigi-kullanma-windows-sunucu-kullananlarin-dikkatine\/#CryptoAPInin_sertifika_onbellegi\" >CryptoAPI&#8217;nin sertifika \u00f6nbelle\u011fi<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/sunucucozumleri.com\/blog\/windows-cryptoapide-kritik-bir-kimlik-sahtekarligi-guvenlik-acigi-kullanma-windows-sunucu-kullananlarin-dikkatine\/#Guvenlik_acigindan_nasil_yararlanilabilir\" >G\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan nas\u0131l yararlan\u0131labilir?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/sunucucozumleri.com\/blog\/windows-cryptoapide-kritik-bir-kimlik-sahtekarligi-guvenlik-acigi-kullanma-windows-sunucu-kullananlarin-dikkatine\/#MD5_carpismalari_yoluyla_sertifika_sahteciligi\" >MD5 \u00e7arp\u0131\u015fmalar\u0131 yoluyla sertifika sahtecili\u011fi<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/sunucucozumleri.com\/blog\/windows-cryptoapide-kritik-bir-kimlik-sahtekarligi-guvenlik-acigi-kullanma-windows-sunucu-kullananlarin-dikkatine\/#MD5_secilmis_onek_cakismalari_%E2%80%94_kisa_bir_genel_bakis\" >MD5 se\u00e7ilmi\u015f \u00f6nek \u00e7ak\u0131\u015fmalar\u0131 \u2014 k\u0131sa bir genel bak\u0131\u015f<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/sunucucozumleri.com\/blog\/windows-cryptoapide-kritik-bir-kimlik-sahtekarligi-guvenlik-acigi-kullanma-windows-sunucu-kullananlarin-dikkatine\/#Carpisma_bloklari_icin_yer_acmak\" >\u00c7arp\u0131\u015fma bloklar\u0131 i\u00e7in yer a\u00e7mak<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/sunucucozumleri.com\/blog\/windows-cryptoapide-kritik-bir-kimlik-sahtekarligi-guvenlik-acigi-kullanma-windows-sunucu-kullananlarin-dikkatine\/#Sertifika_MD5_parmak_izi_cakismalari\" >Sertifika MD5 parmak izi \u00e7ak\u0131\u015fmalar\u0131<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/sunucucozumleri.com\/blog\/windows-cryptoapide-kritik-bir-kimlik-sahtekarligi-guvenlik-acigi-kullanma-windows-sunucu-kullananlarin-dikkatine\/#Gercek_dunyadan_bir_ornek\" >Ger\u00e7ek d\u00fcnyadan bir \u00f6rnek<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/sunucucozumleri.com\/blog\/windows-cryptoapide-kritik-bir-kimlik-sahtekarligi-guvenlik-acigi-kullanma-windows-sunucu-kullananlarin-dikkatine\/#Tespit_etme\" >Tespit etme<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/sunucucozumleri.com\/blog\/windows-cryptoapide-kritik-bir-kimlik-sahtekarligi-guvenlik-acigi-kullanma-windows-sunucu-kullananlarin-dikkatine\/#Cozum\" >\u00c7\u00f6z\u00fcm<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Yonetici_Ozeti\"><\/span><span>Y\u00f6netici \u00d6zeti<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li><span>Akamai G\u00fcvenlik Ara\u015ft\u0131rmas\u0131, yak\u0131n zamanda Ulusal G\u00fcvenlik Ajans\u0131 (NSA) ve Ulusal Siber G\u00fcvenlik Merkezi (NCSC) taraf\u0131ndan Microsoft&#8217;a if\u015fa edilen Windows CryptoAPI&#8217;deki kritik bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 analiz etti.<\/span><\/li>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2022-34689\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>CVE-2022-34689<\/span><\/a><span>\u00a0olarak atanan g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n\u00a0CVSS puan\u0131 7,5&#8217;tir.\u00a0A\u011fustos 2022&#8217;de yama yap\u0131ld\u0131, ancak Sal\u0131 Ekim 2022 Yamas\u0131&#8217;nda kamuya duyurulmu\u015ftu.<\/span><\/li>\n<li><span>Microsoft&#8217;a g\u00f6re, g\u00fcvenlik a\u00e7\u0131\u011f\u0131 bir sald\u0131rgan\u0131n me\u015fru bir varl\u0131k gibi g\u00f6r\u00fcnmesine izin veriyor.\u00a0<\/span><\/li>\n<li><span>Hatan\u0131n temel nedeni, MD5 tabanl\u0131 sertifika \u00f6nbellek dizin anahtar\u0131n\u0131n \u00e7arp\u0131\u015fmas\u0131z oldu\u011fu varsay\u0131m\u0131d\u0131r.\u00a02009&#8217;dan beri MD5&#8217;in \u00e7arp\u0131\u015fma direncinin\u00a0<\/span><a href=\"https:\/\/marc-stevens.nl\/research\/papers\/CR09-SSALMOdW.pdf\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>k\u0131r\u0131ld\u0131\u011f\u0131<\/span><\/a><span>\u00a0bilinmektedir .\u00a0<\/span><\/li>\n<li><span>Sald\u0131r\u0131 ak\u0131\u015f\u0131 iki y\u00f6nl\u00fcd\u00fcr.\u00a0\u0130lk a\u015fama me\u015fru bir sertifikan\u0131n al\u0131nmas\u0131n\u0131, de\u011fi\u015ftirilmesini ve de\u011fi\u015ftirilmi\u015f versiyonun kurbana sunulmas\u0131n\u0131 gerektirir.\u00a0\u0130kinci a\u015fama, MD5&#8217;i de\u011fi\u015ftirilmi\u015f yasal sertifikayla \u00e7ak\u0131\u015fan yeni bir sertifika olu\u015fturmay\u0131 ve yeni sertifikay\u0131 orijinal sertifikan\u0131n konusunun kimli\u011fini taklit etmek i\u00e7in kullanmay\u0131 i\u00e7erir.<\/span><\/li>\n<li><span>Bu sahtekarl\u0131k sald\u0131r\u0131s\u0131na kar\u015f\u0131 savunmas\u0131z bir \u015fekilde CryptoAPI kullanan vah\u015fi uygulamalar\u0131 arad\u0131k.\u00a0\u015eimdiye kadar, Chrome&#8217;un eski s\u00fcr\u00fcmlerinin (v48 ve \u00f6ncesi) ve Chromium tabanl\u0131 uygulamalar\u0131n k\u00f6t\u00fcye kullan\u0131labilece\u011fini g\u00f6rd\u00fck.\u00a0Vah\u015fi do\u011fada daha savunmas\u0131z hedefler oldu\u011funa inan\u0131yoruz ve ara\u015ft\u0131rmam\u0131z hala devam ediyor.<\/span><\/li>\n<li><span>Veri merkezlerindeki g\u00f6r\u00fcn\u00fcr cihazlar\u0131n %1&#8217;inden daha az\u0131na yama uyguland\u0131\u011f\u0131n\u0131 ve geri kalan\u0131 bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan yararlanmaya kar\u015f\u0131 korumas\u0131z hale getirdi\u011fini tespit ettik.<\/span><\/li>\n<li><span>Bu blog g\u00f6nderisinde, potansiyel sald\u0131r\u0131 ak\u0131\u015f\u0131 ve sonu\u00e7lar\u0131 hakk\u0131nda ayr\u0131nt\u0131l\u0131 bir a\u00e7\u0131klaman\u0131n yan\u0131 s\u0131ra\u00a0tam sald\u0131r\u0131y\u0131 g\u00f6steren bir\u00a0<\/span><a href=\"https:\/\/github.com\/akamai\/akamai-security-research\/tree\/main\/PoCs\/CVE-2022-34689\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>kavram kan\u0131t\u0131 (PoC) sunuyoruz.\u00a0<\/span><\/a><span>Ayr\u0131ca, CryptoAPI kitapl\u0131\u011f\u0131n\u0131n savunmas\u0131z s\u00fcr\u00fcmlerini tespit etmek i\u00e7in bir OSQuery sa\u011fl\u0131yoruz.<\/span><\/li>\n<\/ul>\n<p><a href=\"https:\/\/user-images.githubusercontent.com\/114926055\/214040642-beb765f7-4788-45e8-836c-a08dc441b5b4.mp4\" rel=\"nofollow noopener\" target=\"_blank\"><strong>Video izlemek i\u00e7in t\u0131klay\u0131n\u0131z<\/strong><\/a><\/p>\n<div class=\"text aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-text\" style=\"box-sizing: border-box;\" data-cmp-data-layer=\"{&quot;text-8de59b606c&quot;:{&quot;@type&quot;:&quot;akamai\/components\/text&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T13:26:07Z&quot;,&quot;xdm:text&quot;:&quot;&lt;h2&gt;&amp;nbsp;&lt;\/h2&gt;\\n&lt;h2&gt;Background&lt;br&gt;\\n&lt;\/h2&gt;\\n&lt;p&gt;Three months ago, in our&amp;nbsp;&lt;a href=\\&quot;\/content\/akamai\/en\/blog\/security-research\/akamai-perspective-patch-tuesday-october-2022.html\\&quot;&gt;October 2022 Patch Tuesday analysis&lt;\/a&gt;, we shared a basic description of a critical spoofing vulnerability in Windows CryptoAPI \u2014 CVE-2022-34689. According to Microsoft, this vulnerability allows an attacker to \u201cspoof their identity and perform actions such as authentication or code signing as the targeted certificate.\u201d&lt;\/p&gt;\\n&lt;p&gt;CryptoAPI is the de facto API in Windows for handling anything related to cryptography. In particular, it handles certificates \u2014 from reading and parsing them to validating them against verified certificate authorities (CAs). Browsers also use CryptoAPI for TLS certificate validation \u2014 a process that results in the lock icon everyone is taught to check.&lt;\/p&gt;\\n&lt;p&gt;However, certificate verification is not unique for browsers, and is used by other TLS clients as well, such as PowerShell web authentication, curl, wget, FTP managers, EDRs, and many other applications. In addition, code-signing certificates are verified on executables and libraries, and driver-signing certificates are verified when loading drivers. As one can imagine, a vulnerability in the verification process of certificates is very lucrative for attackers, as it allows them to mask their identity and bypass critical security protections.&lt;\/p&gt;\\n&lt;p&gt;This is not the first time the National Security Agency disclosed a vulnerability in CryptoAPI. In 2020, they found and disclosed CurveBall (CVE-2020-0601). Exploiting either&amp;nbsp;&lt;i&gt;CurveBall&lt;\/i&gt;&amp;nbsp;or CVE-2022-34689 results in identity spoofing; but while&amp;nbsp;&lt;i&gt;CurveBall&lt;\/i&gt;&amp;nbsp;affected many applications, CVE-2022-34689 has more prerequisites and thus has a more limited scope of vulnerable targets.&lt;\/p&gt;\\n&lt;h2&gt;Vulnerability details&lt;\/h2&gt;\\n&lt;p&gt;To analyze the vulnerability, we first tried to locate the patched code. We used BinDiff \u2014 a popular binary-diffing tool \u2014 to observe the various code changes to CryptoAPI. In crypt32.dll, only one function has changed:&amp;nbsp;&lt;i&gt;CreateChainContextFromPathGraph&lt;\/i&gt;. As part of this function, there is a comparison of two certificates: one that is received as input and another that resides in the receiving application\u2019s certificate cache (more on this cache later).&lt;\/p&gt;\\n&lt;p&gt;Inspection of the changes revealed that&amp;nbsp;&lt;i&gt;memcmp&lt;\/i&gt;&amp;nbsp;checks were added to the function in two locations (Figure 1).&lt;\/p&gt;\\n&quot;}}\">\n<h2><span class=\"ez-toc-section\" id=\"Arka_plan\"><\/span><span>Arka plan<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span>\u00dc\u00e7 ay \u00f6nce,\u00a0\u00a0<\/span><a href=\"https:\/\/www.akamai.com\/blog\/security-research\/akamai-perspective-patch-tuesday-october-2022\" rel=\"nofollow noopener\" target=\"_blank\"><span>Ekim 2022 Sal\u0131 Yamas\u0131 analizimizde<\/span><\/a><span>\u00a0, Windows CryptoAPI \u2014 CVE-2022-34689&#8217;daki kritik bir kimlik sahtekarl\u0131\u011f\u0131 g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n temel a\u00e7\u0131klamas\u0131n\u0131 payla\u015ft\u0131k.\u00a0Microsoft&#8217;a g\u00f6re, bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131 bir sald\u0131rgan\u0131n &#8220;kimli\u011fini taklit etmesine ve hedeflenen sertifika olarak kimlik do\u011frulama veya kod imzalama gibi eylemler ger\u00e7ekle\u015ftirmesine&#8221; olanak tan\u0131r.<\/span><\/p>\n<p><span>CryptoAPI, Windows&#8217;ta kriptografi ile ilgili her \u015feyi i\u015flemek i\u00e7in fiili API&#8217;dir.\u00a0\u00d6zellikle, okuma ve ayr\u0131\u015ft\u0131rmadan do\u011frulanm\u0131\u015f sertifika yetkililerine (CA&#8217;lar) g\u00f6re do\u011frulamaya kadar sertifikalar\u0131 y\u00f6netir.\u00a0Taray\u0131c\u0131lar ayr\u0131ca TLS sertifika do\u011frulamas\u0131 i\u00e7in CryptoAPI&#8217;yi kullan\u0131r; bu, herkesin kontrol etmesi \u00f6\u011fretilen kilit simgesiyle sonu\u00e7lanan bir i\u015flemdir.<\/span><\/p>\n<p><span>Ancak, sertifika do\u011frulama taray\u0131c\u0131lar i\u00e7in benzersiz de\u011fildir ve PowerShell web kimlik do\u011frulamas\u0131, curl, wget, FTP y\u00f6neticileri, EDR&#8217;ler ve di\u011fer bir\u00e7ok uygulama gibi di\u011fer TLS istemcileri taraf\u0131ndan da kullan\u0131l\u0131r.\u00a0Ayr\u0131ca, y\u00fcr\u00fct\u00fclebilir dosyalar ve kitapl\u0131klar \u00fczerinde kod imzalama sertifikalar\u0131 do\u011frulan\u0131r ve s\u00fcr\u00fcc\u00fc imzalama sertifikalar\u0131, s\u00fcr\u00fcc\u00fcler y\u00fcklenirken do\u011frulan\u0131r.\u00a0Tahmin edilebilece\u011fi gibi, sertifikalar\u0131n do\u011frulama s\u00fcrecindeki bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131, kimliklerini maskelemelerine ve kritik g\u00fcvenlik korumalar\u0131n\u0131 atlamalar\u0131na olanak tan\u0131d\u0131\u011f\u0131 i\u00e7in sald\u0131rganlar i\u00e7in \u00e7ok kazan\u00e7l\u0131.<\/span><\/p>\n<p><span>Bu, Ulusal G\u00fcvenlik Te\u015fkilat\u0131n\u0131n CryptoAPI&#8217;deki bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 ilk kez if\u015fa etmesi de\u011fil.\u00a02020&#8217;de CurveBall&#8217;u (CVE-2020-0601) bulup if\u015fa ettiler.\u00a0CurveBall\u00a0 veya CVE-\u00a0<\/span><i><span>2022-34689&#8217;dan<\/span><\/i><span>\u00a0\u00a0yararlanmak kimlik sahtekarl\u0131\u011f\u0131na neden olur;\u00a0ancak\u00a0\u00a0<\/span><i><span>CurveBall<\/span><\/i><span>\u00a0\u00a0bir\u00e7ok uygulamay\u0131 etkilese de, CVE-2022-34689&#8217;un daha fazla \u00f6nko\u015fulu vard\u0131r ve dolay\u0131s\u0131yla daha s\u0131n\u0131rl\u0131 bir savunmas\u0131z hedef kapsam\u0131na sahiptir.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Guvenlik_acigi_ayrintilari\"><\/span><span>G\u00fcvenlik a\u00e7\u0131\u011f\u0131 ayr\u0131nt\u0131lar\u0131<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span>G\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 analiz etmek i\u00e7in \u00f6nce yamal\u0131 kodu bulmaya \u00e7al\u0131\u015ft\u0131k.\u00a0CryptoAPI&#8217;deki \u00e7e\u015fitli kod de\u011fi\u015fikliklerini g\u00f6zlemlemek i\u00e7in pop\u00fcler bir ikili farkl\u0131l\u0131k arac\u0131 olan BinDiff&#8217;i kulland\u0131k.\u00a0crypt32.dll&#8217;de yaln\u0131zca bir i\u015flev de\u011fi\u015fti:\u00a0\u00a0<\/span><i><span>CreateChainContextFromPathGraph<\/span><\/i><span>\u00a0.\u00a0Bu i\u015flevin bir par\u00e7as\u0131 olarak, iki sertifikan\u0131n kar\u015f\u0131la\u015ft\u0131rmas\u0131 vard\u0131r: biri girdi olarak al\u0131nan, di\u011feri ise al\u0131c\u0131 uygulaman\u0131n sertifika \u00f6nbelle\u011finde bulunur (bu \u00f6nbellek daha sonra ele al\u0131nacakt\u0131r).<\/span><\/p>\n<p><span>De\u011fi\u015fikliklerin incelenmesi,\u00a0\u00a0<\/span><i><span>memcmp<\/span><\/i><span>\u00a0\u00a0kontrollerinin i\u015fleve iki konumda eklendi\u011fini ortaya \u00e7\u0131kard\u0131 (\u015eekil 1).<\/span><\/p>\n<\/div>\n<\/div>\n<div class=\"image aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-image__wrapper fixed-ratio-16-9\">\n<div class=\"cmp-image\" data-cmp-lazy=\"\" data-title=\"Inspection of the changes revealed that memcmp checks were added to the function in two locations (Figure 1).\" data-cmp-data-layer=\"{&quot;image-9e9a696c16&quot;:{&quot;@type&quot;:&quot;akamai\/components\/image&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T04:27:57Z&quot;,&quot;dc:title&quot;:&quot;Inspection of the changes revealed that memcmp checks were added to the function in two locations (Figure 1).&quot;,&quot;xdm:linkURL&quot;:&quot;\/content\/dam\/site\/en\/images\/blog\/2023\/exploiting-critical-fig1.png&quot;,&quot;image&quot;:{&quot;repo:id&quot;:&quot;ee84293b-913f-4aa7-a31e-4f59b54d738f&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T02:56:56Z&quot;,&quot;@type&quot;:&quot;image\/png&quot;,&quot;repo:path&quot;:&quot;\/content\/dam\/site\/en\/images\/blog\/2023\/exploiting-critical-fig1.png&quot;,&quot;xdm:tags&quot;:[]}}}\"><a class=\"cmp-image__link\" href=\"https:\/\/www.akamai.com\/site\/en\/images\/blog\/2023\/exploiting-critical-fig1.png\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-cmp-hook-image=\"link\"><img decoding=\"async\" class=\"cmp-image__image\" src=\"https:\/\/www.akamai.com\/site\/en\/images\/blog\/2023\/exploiting-critical-fig1.png\" alt=\"De\u011fi\u015fikliklerin incelenmesi, memcmp kontrollerinin i\u015fleve iki konumda eklendi\u011fini ortaya \u00e7\u0131kard\u0131 (\u015eekil 1).\" data-cmp-hook-image=\"image\" title=\"\">\u00a0<\/a><span class=\"cmp-image__title\"><span>\u015eekil 1: Yamada CreateChainContextFromPathGraph&#8217;a eklenen kod (vurgulanm\u0131\u015f)<\/span><\/span><\/div>\n<\/div>\n<\/div>\n<div class=\"text aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-text\" style=\"box-sizing: border-box;\" data-cmp-data-layer=\"{&quot;text-8e18f94cc6&quot;:{&quot;@type&quot;:&quot;akamai\/components\/text&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T02:57:48Z&quot;,&quot;xdm:text&quot;:&quot;&lt;p&gt;Before the patch, the function determined whether a received certificate is already in the cache (and therefore verified) only based on its MD5 thumbprint. After the patch, the &lt;i&gt;memcmp&lt;\/i&gt; addition requires that the actual contents of the two certificates match completely.&amp;nbsp;&lt;br&gt;\\r\\n&lt;\/p&gt;\\r\\n&lt;p&gt;At this point, we theorized that if an attacker could serve a malicious certificate whose MD5 collides with one that is already in the victim\u2019s certificate cache, they would be able to bypass the vulnerable check and have their malicious certificate trusted (Figure 2).&lt;\/p&gt;\\r\\n&quot;}}\">\n<p><span>Yamadan \u00f6nce i\u015flev, al\u0131nan bir sertifikan\u0131n zaten \u00f6nbellekte olup olmad\u0131\u011f\u0131n\u0131 (ve bu nedenle do\u011frulan\u0131p do\u011frulanmad\u0131\u011f\u0131n\u0131) yaln\u0131zca MD5 parmak izine g\u00f6re belirledi.\u00a0Yamadan sonra\u00a0<\/span><i><span>memcmp<\/span><\/i><span>\u00a0eklenmesi, iki sertifikan\u0131n ger\u00e7ek i\u00e7eri\u011finin tamamen e\u015fle\u015fmesini gerektirir.\u00a0<\/span><\/p>\n<p><span>Bu noktada, bir sald\u0131rgan, MD5&#8217;i kurban\u0131n sertifika \u00f6nbelle\u011finde bulunan bir sertifikayla \u00e7ak\u0131\u015fan k\u00f6t\u00fc ama\u00e7l\u0131 bir sertifika sunabilirse, g\u00fcvenlik a\u00e7\u0131\u011f\u0131 kontrol\u00fcn\u00fc atlayabilecek ve k\u00f6t\u00fc ama\u00e7l\u0131 sertifikas\u0131na g\u00fcvenebilece\u011fini teorile\u015ftirdik (\u015eekil 2).<\/span><\/p>\n<\/div>\n<\/div>\n<div class=\"image aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-image__wrapper fixed-ratio-16-9\">\n<div class=\"cmp-image\" data-cmp-lazy=\"\" data-title=\"Attack flow\" data-cmp-data-layer=\"{&quot;image-6e765cb620&quot;:{&quot;@type&quot;:&quot;akamai\/components\/image&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T04:28:04Z&quot;,&quot;dc:title&quot;:&quot;Attack flow&quot;,&quot;xdm:linkURL&quot;:&quot;\/content\/dam\/site\/en\/images\/blog\/2023\/exploiting-critical-fig3.png&quot;,&quot;image&quot;:{&quot;repo:id&quot;:&quot;18013690-cc23-4cf6-80de-5f7a47ed7ec6&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T02:59:43Z&quot;,&quot;@type&quot;:&quot;image\/png&quot;,&quot;repo:path&quot;:&quot;\/content\/dam\/site\/en\/images\/blog\/2023\/exploiting-critical-fig3.png&quot;,&quot;xdm:tags&quot;:[]}}}\"><a class=\"cmp-image__link\" href=\"https:\/\/www.akamai.com\/site\/en\/images\/blog\/2023\/exploiting-critical-fig3.png\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-cmp-hook-image=\"link\"><img decoding=\"async\" class=\"cmp-image__image\" src=\"https:\/\/www.akamai.com\/site\/en\/images\/blog\/2023\/exploiting-critical-fig3.png\" alt=\"Sald\u0131r\u0131 ak\u0131\u015f\u0131\" data-cmp-hook-image=\"image\" title=\"\">\u00a0<\/a><span class=\"cmp-image__title\"><span>\u015eekil 2: \u00dcst d\u00fczey sald\u0131r\u0131 ak\u0131\u015f\u0131<\/span><\/span><\/div>\n<\/div>\n<\/div>\n<div class=\"text text__pt-20 text__pb-20 aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-text\" style=\"box-sizing: border-box; padding-top: 20px; padding-bottom: 20px;\" data-cmp-data-layer=\"{&quot;text-f09e0183c1&quot;:{&quot;@type&quot;:&quot;akamai\/components\/text&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T03:49:34Z&quot;,&quot;xdm:text&quot;:&quot;&lt;h3&gt;CryptoAPI\u2019s certificate cache&lt;br&gt;\\r\\n&lt;\/h3&gt;\\r\\n&lt;p&gt;CryptoAPI can use a cache for received end certificates to improve performance and efficiency. This mechanism is disabled by default. To enable it, the application developer needs to pass certain parameters to &lt;i&gt;CertGetCertificateChain&lt;\/i&gt;, the Windows API function that eventually leads to the vulnerable code (Figure 3).&lt;\/p&gt;\\r\\n&quot;}}\">\n<h3><span class=\"ez-toc-section\" id=\"CryptoAPInin_sertifika_onbellegi\"><\/span><span>CryptoAPI&#8217;nin sertifika \u00f6nbelle\u011fi<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span>CryptoAPI, performans\u0131 ve verimlili\u011fi art\u0131rmak i\u00e7in al\u0131nan son sertifikalar i\u00e7in bir \u00f6nbellek kullanabilir.\u00a0Bu mekanizma varsay\u0131lan olarak devre d\u0131\u015f\u0131d\u0131r.\u00a0Bunu etkinle\u015ftirmek i\u00e7in uygulama geli\u015ftiricisinin\u00a0, sonunda savunmas\u0131z koda yol a\u00e7an Windows API i\u015flevi olan\u00a0<\/span><i><span>CertGetCertificateChain&#8217;e belirli parametreleri iletmesi gerekir (\u015eekil 3).<\/span><\/i><\/p>\n<\/div>\n<\/div>\n<div class=\"image aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-image__wrapper fixed-ratio-16-9\">\n<div class=\"cmp-image\" data-cmp-lazy=\"\" data-title=\"CertGetCertificateChain, the Windows API function that eventually leads to the vulnerable code (Figure 3).\" data-cmp-data-layer=\"{&quot;image-d0a08aeb0e&quot;:{&quot;@type&quot;:&quot;akamai\/components\/image&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T04:14:36Z&quot;,&quot;dc:title&quot;:&quot;CertGetCertificateChain, the Windows API function that eventually leads to the vulnerable code (Figure 3).&quot;,&quot;xdm:linkURL&quot;:&quot;\/content\/dam\/site\/en\/images\/blog\/2023\/exploiting-critical-fig2.png&quot;,&quot;image&quot;:{&quot;repo:id&quot;:&quot;e58b5c4b-595d-4f7c-af67-831b16b7b358&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T03:02:52Z&quot;,&quot;@type&quot;:&quot;image\/png&quot;,&quot;repo:path&quot;:&quot;\/content\/dam\/site\/en\/images\/blog\/2023\/exploiting-critical-fig2.png&quot;,&quot;xdm:tags&quot;:[]}}}\"><a class=\"cmp-image__link\" href=\"https:\/\/www.akamai.com\/site\/en\/images\/blog\/2023\/exploiting-critical-fig2.png\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-cmp-hook-image=\"link\"><img decoding=\"async\" class=\"cmp-image__image\" src=\"https:\/\/www.akamai.com\/site\/en\/images\/blog\/2023\/exploiting-critical-fig2.png\" alt=\"CertGetCertificateChain, sonunda g\u00fcvenlik a\u00e7\u0131\u011f\u0131 bulunan koda yol a\u00e7an Windows API i\u015flevi (\u015eekil 3).\" data-cmp-hook-image=\"image\" title=\"\">\u00a0<\/a><span class=\"cmp-image__title\"><span>\u015eekil 3: CertGetCertificateChain i\u015flev bildirimi<\/span><\/span><\/div>\n<\/div>\n<\/div>\n<div class=\"text text__pb-20 aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-text\" style=\"box-sizing: border-box; padding-bottom: 20px;\" data-cmp-data-layer=\"{&quot;text-505eb66ebf&quot;:{&quot;@type&quot;:&quot;akamai\/components\/text&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T03:08:26Z&quot;,&quot;xdm:text&quot;:&quot;&lt;p&gt;&lt;i&gt;CertGetCertificateChain&lt;\/i&gt; receives several interesting parameters:&lt;\/p&gt;\\r\\n&lt;ul&gt;\\r\\n&lt;li&gt;&lt;p&gt;&lt;i&gt;hChainEngine&lt;\/i&gt; \u2014 a configurable object used to control the way certificates are validated&lt;\/p&gt;\\r\\n&lt;\/li&gt;\\r\\n&lt;\/ul&gt;\\r\\n&lt;ul&gt;\\r\\n&lt;li&gt;&lt;p&gt;&lt;i&gt;pCertContext&lt;\/i&gt; \u2014 the input certificate\u2019s context, a data structure built using the input certificate by the WinAPI function CertCreateCertificateContext&lt;\/p&gt;\\r\\n&lt;\/li&gt;\\r\\n&lt;li&gt;&lt;p&gt;&lt;i&gt;dwFlags&lt;\/i&gt; \u2014 the flags that specify further configuration&lt;\/p&gt;\\r\\n&lt;\/li&gt;\\r\\n&lt;li&gt;&lt;p&gt;&lt;i&gt;ppChainContext &lt;\/i&gt;\u2014 the output object that contains (among other fields) the trust status; namely, the verification verdict of the chain&lt;\/p&gt;\\r\\n&lt;\/li&gt;\\r\\n&lt;\/ul&gt;\\r\\n&lt;p&gt;To enable the caching mechanism for end certificates, the developer needs to either set the flag CERT_CHAIN_CACHE_END_CERT in &lt;i&gt;dwFlags&lt;\/i&gt;, or create a custom chain engine and set the flag CERT_CHAIN_CACHE_END_CERT in its &lt;i&gt;dwFlags&lt;\/i&gt; field.&lt;\/p&gt;\\r\\n&lt;p&gt;To understand how the cache is implemented and used, let\u2019s take a look at the function &lt;i&gt;FindIssuerObject&lt;\/i&gt; that pulls the certificate from the cache. Broadly speaking, the function behaves as follows:&lt;\/p&gt;\\r\\n&lt;ol&gt;\\r\\n&lt;li&gt;&lt;p&gt;It calculates the input certificate\u2019s bucket index in the cache based on the four least-significant bytes of its MD5 thumbprint.&lt;\/p&gt;\\r\\n&lt;\/li&gt;\\r\\n&lt;li&gt;&lt;p&gt;If it exists in cache, the function compares the entire MD5 thumbprint of the cached certificate and the input certificate.&lt;\/p&gt;\\r\\n&lt;\/li&gt;\\r\\n&lt;li&gt;&lt;p&gt;If the thumbprints match (cache hit), the input certificate is trusted and returned. From now on,&lt;b&gt; the application uses the input certificate attributes (such as the public key, issuer, etc.) and not the cached certificate&lt;\/b&gt;.&lt;\/p&gt;\\r\\n&lt;\/li&gt;\\r\\n&lt;li&gt;&lt;p&gt;If the thumbprints do not match (cache miss), it goes to the next certificate in the bucket, compares its MD5 thumbprint, and repeats.&lt;\/p&gt;\\r\\n&lt;\/li&gt;\\r\\n&lt;\/ol&gt;\\r\\n&lt;p&gt;Microsoft inherently trusts the validity of cached certificates, and doesn\u2019t perform any additional validity checks after an end certificate is found in the cache. This, by itself, is a reasonable working assumption. However, the code makes a further assumption that two certificates are identical if their MD5 thumbprints match. This is an incorrect assumption that can be exploited, and was the genesis of the patch.&lt;\/p&gt;\\r\\n&lt;p&gt;To support our hypothesis, we wrote a small application that uses &lt;i&gt;CertGetCertificateChain&lt;\/i&gt; and debugged the certificate verification flow in crypt32.dll. Using WinDbg, we simulated a scenario in which the MD5 thumbprint of our own (self-signed) certificate matches a legitimate certificate that was already in the cache. As shown in Figure 4, our crafted certificate was trusted.&lt;\/p&gt;\\r\\n&quot;}}\">\n<p><i><span>CertGetCertificateChain<\/span><\/i><span>\u00a0birka\u00e7 ilgin\u00e7 parametre al\u0131r:<\/span><\/p>\n<ul>\n<li><i><span>hChainEngine<\/span><\/i><span>\u00a0\u2014 sertifikalar\u0131n do\u011frulanma \u015feklini kontrol etmek i\u00e7in kullan\u0131lan yap\u0131land\u0131r\u0131labilir bir nesne<\/span><\/li>\n<\/ul>\n<ul>\n<li><i><span>pCertContext<\/span><\/i><span>\u00a0\u2014 giri\u015f sertifikas\u0131n\u0131n i\u00e7eri\u011fi, WinAPI i\u015flevi CertCreateCertificateContext taraf\u0131ndan giri\u015f sertifikas\u0131 kullan\u0131larak olu\u015fturulmu\u015f bir veri yap\u0131s\u0131<\/span><\/li>\n<li><i><span>dwFlags<\/span><\/i><span>\u00a0\u2014 daha fazla yap\u0131land\u0131rmay\u0131 belirten bayraklar<\/span><\/li>\n<li><i><span>ppChainContext<\/span><\/i><span>\u00a0\u2014 (di\u011fer alanlar\u0131n yan\u0131 s\u0131ra) g\u00fcven durumunu i\u00e7eren \u00e7\u0131kt\u0131 nesnesi;\u00a0yani, zincirin do\u011frulama karar\u0131<\/span><\/li>\n<\/ul>\n<p><span>Son sertifikalar i\u00e7in \u00f6nbelle\u011fe alma mekanizmas\u0131n\u0131 etkinle\u015ftirmek i\u00e7in geli\u015ftiricinin\u00a0<\/span><i><span>dwFlags i\u00e7inde CERT_CHAIN_CACHE_END_CERT i\u015faretini ayarlamas\u0131 veya \u00f6zel bir zincir motoru olu\u015fturmas\u0131 ve\u00a0<\/span><\/i><i><span>dwFlags<\/span><\/i><span>\u00a0alan\u0131nda\u00a0CERT_CHAIN_CACHE_END_CERT i\u015faretini ayarlamas\u0131 gerekir .<\/span><\/p>\n<p><span>\u00d6nbelle\u011fin nas\u0131l uyguland\u0131\u011f\u0131n\u0131 ve kullan\u0131ld\u0131\u011f\u0131n\u0131 anlamak i\u00e7in\u00a0, sertifikay\u0131 \u00f6nbellekten \u00e7eken\u00a0<\/span><i><span>FindIssuerObject i\u015flevine bir g\u00f6z atal\u0131m.\u00a0<\/span><\/i><span>Genel olarak, i\u015flev a\u015fa\u011f\u0131daki gibi davran\u0131r:<\/span><\/p>\n<ol>\n<li><span>MD5 parmak izinin en \u00f6nemsiz d\u00f6rt bayt\u0131n\u0131 temel alarak \u00f6nbellekteki giri\u015f sertifikas\u0131n\u0131n grup dizinini hesaplar.<\/span><\/li>\n<li><span>\u00d6nbellekte varsa i\u015flev, \u00f6nbelle\u011fe al\u0131nan sertifikan\u0131n t\u00fcm MD5 parmak izini ve giri\u015f sertifikas\u0131n\u0131 kar\u015f\u0131la\u015ft\u0131r\u0131r.<\/span><\/li>\n<li><span>Parmak izleri e\u015fle\u015firse (\u00f6nbellek isabeti), giri\u015f sertifikas\u0131 g\u00fcvenilir ve iade edilir.\u00a0Bundan\u00a0<\/span><b><span>sonra uygulama, \u00f6nbelle\u011fe al\u0131nan sertifikay\u0131 de\u011fil, giri\u015f sertifikas\u0131 \u00f6zniteliklerini (ortak anahtar, veren vb.) kullan\u0131r<\/span><\/b><span>\u00a0.<\/span><\/li>\n<li><span>Parmak izleri e\u015fle\u015fmezse (\u00f6nbellek eksik), kovadaki bir sonraki sertifikaya gider, MD5 parmak izini kar\u015f\u0131la\u015ft\u0131r\u0131r ve tekrar eder.<\/span><\/li>\n<\/ol>\n<p><span>Microsoft, do\u011fas\u0131 gere\u011fi \u00f6nbelle\u011fe al\u0131nan sertifikalar\u0131n ge\u00e7erlili\u011fine g\u00fcvenir ve \u00f6nbellekte bir biti\u015f sertifikas\u0131 bulunduktan sonra herhangi bir ek ge\u00e7erlilik denetimi ger\u00e7ekle\u015ftirmez.\u00a0Bu, kendi ba\u015f\u0131na, makul bir \u00e7al\u0131\u015fma varsay\u0131m\u0131d\u0131r.\u00a0Bununla birlikte, kod, MD5 parmak izleri e\u015fle\u015firse iki sertifikan\u0131n ayn\u0131 oldu\u011fu varsay\u0131m\u0131nda bulunur.\u00a0Bu, istismar edilebilecek yanl\u0131\u015f bir varsay\u0131md\u0131r ve yaman\u0131n do\u011fu\u015fuydu.<\/span><\/p>\n<p><span>Hipotezimizi desteklemek i\u00e7in\u00a0<\/span><i><span>CertGetCertificateChain<\/span><\/i><span>\u00a0kullanan k\u00fc\u00e7\u00fck bir uygulama yazd\u0131k ve crypt32.dll&#8217;deki sertifika do\u011frulama ak\u0131\u015f\u0131nda hata ay\u0131klad\u0131k.\u00a0WinDbg&#8217;yi kullanarak, kendi (kendinden imzal\u0131) sertifikam\u0131z\u0131n MD5 parmak izinin \u00f6nbellekte bulunan me\u015fru bir sertifikayla e\u015fle\u015fti\u011fi bir senaryoyu sim\u00fcle ettik.\u00a0\u015eekil 4&#8217;te g\u00f6sterildi\u011fi gibi haz\u0131rlanm\u0131\u015f sertifikam\u0131z g\u00fcvenilirdi.<\/span><\/p>\n<\/div>\n<\/div>\n<div class=\"image aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-image__wrapper fixed-ratio-16-9\">\n<div class=\"cmp-image\" data-cmp-lazy=\"\" data-title=\"As shown in Figure 4, our crafted certificate was trusted.\" data-cmp-data-layer=\"{&quot;image-47eb8f8253&quot;:{&quot;@type&quot;:&quot;akamai\/components\/image&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T04:15:16Z&quot;,&quot;dc:title&quot;:&quot;As shown in Figure 4, our crafted certificate was trusted.&quot;,&quot;xdm:linkURL&quot;:&quot;\/content\/dam\/site\/en\/images\/blog\/2023\/exploiting-critical-fig4.png&quot;,&quot;image&quot;:{&quot;repo:id&quot;:&quot;794973f5-1812-4bcc-a013-7a5fae1b3f0a&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T03:10:23Z&quot;,&quot;@type&quot;:&quot;image\/png&quot;,&quot;repo:path&quot;:&quot;\/content\/dam\/site\/en\/images\/blog\/2023\/exploiting-critical-fig4.png&quot;,&quot;xdm:tags&quot;:[]}}}\"><a class=\"cmp-image__link\" href=\"https:\/\/www.akamai.com\/site\/en\/images\/blog\/2023\/exploiting-critical-fig4.png\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-cmp-hook-image=\"link\"><img decoding=\"async\" class=\"cmp-image__image\" src=\"https:\/\/www.akamai.com\/site\/en\/images\/blog\/2023\/exploiting-critical-fig4.png\" alt=\"\u015eekil 4&#039;te g\u00f6sterildi\u011fi gibi haz\u0131rlanm\u0131\u015f sertifikam\u0131z g\u00fcvenilirdi.\" data-cmp-hook-image=\"image\" title=\"\">\u00a0<\/a><span class=\"cmp-image__title\"><span>\u015eekil 4: \u00d6nbelle\u011fe al\u0131nan sertifikaya ve kendi haz\u0131rlanm\u0131\u015f sertifikam\u0131za CryptoAPI taraf\u0131ndan g\u00fcvenildi\u011fini g\u00f6steren g\u00fcnl\u00fckler<\/span><\/span><\/div>\n<\/div>\n<\/div>\n<div class=\"text aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-text\" style=\"box-sizing: border-box;\" data-cmp-data-layer=\"{&quot;text-99b5061457&quot;:{&quot;@type&quot;:&quot;akamai\/components\/text&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T03:50:10Z&quot;,&quot;xdm:text&quot;:&quot;&lt;p&gt;By only bypassing one check we could make Windows believe our malicious certificate was a legitimate one.&lt;\/p&gt;\\r\\n&lt;h2&gt;How the vulnerability can be exploited&lt;\/h2&gt;\\r\\n&lt;p&gt;Constructing a certificate with an MD5 thumbprint that exactly matches a given MD5 value is called a preimage attack, and this is computationally infeasible even today. However, it is possible to efficiently generate two certificates with two chosen prefixes that will end up having the same MD5 thumbprints; this type of attack is called a chosen prefix collision.&lt;\/p&gt;\\r\\n&lt;p&gt;Choosing this path, we will need to somehow provide two certificates to the victim application. One certificate will be correctly signed, verified, and cached (we\u2019ll refer to it as the \u201cmodified target certificate\u201d). It will be generated in a way that facilitates a chosen prefix collision attack. The second certificate (which we will call the \u201cmalicious certificate\u201d) will contain the spoofed identity. It will collide with the MD5 thumbprint of the first certificate (Figure 5).&lt;\/p&gt;\\r\\n&quot;}}\">\n<p><span>Yaln\u0131zca bir kontrol\u00fc atlayarak, Windows&#8217;u k\u00f6t\u00fc niyetli sertifikam\u0131z\u0131n me\u015fru oldu\u011funa inand\u0131rabiliriz.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Guvenlik_acigindan_nasil_yararlanilabilir\"><\/span><span>G\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan nas\u0131l yararlan\u0131labilir?<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span>Belirli bir MD5 de\u011feriyle tam olarak e\u015fle\u015fen bir MD5 parmak izine sahip bir sertifika olu\u015fturmak, \u00f6n g\u00f6r\u00fcnt\u00fc sald\u0131r\u0131s\u0131 olarak adland\u0131r\u0131l\u0131r ve bu, bug\u00fcn bile hesaplama a\u00e7\u0131s\u0131ndan m\u00fcmk\u00fcn de\u011fildir.\u00a0Bununla birlikte, ayn\u0131 MD5 parmak izlerine sahip olacak \u015fekilde se\u00e7ilen iki \u00f6n ek ile verimli bir \u015fekilde iki sertifika olu\u015fturmak m\u00fcmk\u00fcnd\u00fcr;\u00a0bu t\u00fcr sald\u0131r\u0131lara se\u00e7ilmi\u015f \u00f6nek \u00e7arp\u0131\u015fmas\u0131 denir.<\/span><\/p>\n<p><span>Bu yolu se\u00e7erek, kurban uygulamas\u0131na bir \u015fekilde iki sertifika sa\u011flamam\u0131z gerekecek.\u00a0Bir sertifika do\u011fru \u015fekilde imzalanacak, do\u011frulanacak ve \u00f6nbelle\u011fe al\u0131nacakt\u0131r (&#8220;de\u011fi\u015ftirilmi\u015f hedef sertifika&#8221; olarak an\u0131lacakt\u0131r).\u00a0Se\u00e7ilen \u00f6nek \u00e7arp\u0131\u015fma sald\u0131r\u0131s\u0131n\u0131 kolayla\u015ft\u0131racak \u015fekilde \u00fcretilecektir.\u00a0\u0130kinci sertifika (&#8220;k\u00f6t\u00fc niyetli sertifika&#8221; olarak adland\u0131raca\u011f\u0131z) sahte kimli\u011fi i\u00e7erecektir.\u00a0\u0130lk sertifikan\u0131n MD5 parmak iziyle \u00e7ak\u0131\u015facakt\u0131r (\u015eekil 5).<\/span><\/p>\n<\/div>\n<\/div>\n<div class=\"image aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-image__wrapper fixed-ratio-16-9\">\n<div class=\"cmp-image\" data-cmp-lazy=\"\" data-title=\"It will collide with the MD5 thumbprint of the first certificate (Figure 5).\" data-cmp-data-layer=\"{&quot;image-a2c19a181b&quot;:{&quot;@type&quot;:&quot;akamai\/components\/image&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T04:15:45Z&quot;,&quot;dc:title&quot;:&quot;It will collide with the MD5 thumbprint of the first certificate (Figure 5).&quot;,&quot;xdm:linkURL&quot;:&quot;\/content\/dam\/site\/en\/images\/blog\/2023\/exploiting-critical-fig5.png&quot;,&quot;image&quot;:{&quot;repo:id&quot;:&quot;65035011-dcaf-4e33-b152-ad380c8fddaf&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T03:12:16Z&quot;,&quot;@type&quot;:&quot;image\/png&quot;,&quot;repo:path&quot;:&quot;\/content\/dam\/site\/en\/images\/blog\/2023\/exploiting-critical-fig5.png&quot;,&quot;xdm:tags&quot;:[]}}}\"><a class=\"cmp-image__link\" href=\"https:\/\/www.akamai.com\/site\/en\/images\/blog\/2023\/exploiting-critical-fig5.png\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-cmp-hook-image=\"link\"><img decoding=\"async\" class=\"cmp-image__image\" src=\"https:\/\/www.akamai.com\/site\/en\/images\/blog\/2023\/exploiting-critical-fig5.png\" alt=\"\u0130lk sertifikan\u0131n MD5 parmak iziyle \u00e7ak\u0131\u015facakt\u0131r (\u015eekil 5).\" data-cmp-hook-image=\"image\" title=\"\">\u00a0<\/a><span class=\"cmp-image__title\"><span>\u015eekil 5: K\u00f6t\u00fc niyetli sertifikan\u0131n MD5 parmak izi, de\u011fi\u015ftirilen hedef sertifikan\u0131n parmak iziyle \u00e7ak\u0131\u015facakt\u0131r.<\/span><\/span><\/div>\n<\/div>\n<\/div>\n<div class=\"text text__pt-20 aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-text\" style=\"box-sizing: border-box; padding-top: 20px;\" data-cmp-data-layer=\"{&quot;text-f75dec48b9&quot;:{&quot;@type&quot;:&quot;akamai\/components\/text&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T03:50:30Z&quot;,&quot;xdm:text&quot;:&quot;&lt;h3&gt;Certificate spoofing via MD5 collisions&lt;\/h3&gt;\\r\\n&lt;p&gt;MD5 collisions take us back about 14 years, to a time when Beyonc\u00e9 released \u201cSingle Ladies,\u201d Obama was first elected president, and\u00a0&lt;a href=\\&quot;https:\/\/hackaday.com\/2008\/12\/30\/25c3-hackers-completely-break-ssl-using-200-ps3s\/\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noreferrer\\&quot;&gt;MD5 collisions were first used to spoof SSL certificates&lt;\/a&gt;. There is one major difference between that first attack and the scenario we deal with today: the previous scenario attacked MD5 &lt;u&gt;signatures&lt;\/u&gt;, but in the current vulnerability we are dealing with MD5 &lt;u&gt;thumbprints&lt;\/u&gt;. Let\u2019s understand the difference.&lt;\/p&gt;\\r\\n&lt;p&gt;According to\u00a0&lt;a href=\\&quot;https:\/\/www.rfc-editor.org\/rfc\/rfc5280\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noreferrer\\&quot;&gt;RFC 5280&lt;\/a&gt;, section 4.1, a certificate is an ASN.1 sequence with two sections (Figure 6):&lt;\/p&gt;\\r\\n&lt;ul&gt;\\r\\n&lt;li&gt;&lt;p&gt;&lt;i&gt;tbsCertificate&lt;\/i&gt; (or \u201cto-be-signed\u201d certificate) \u2014 This is the part that contains all identity-related details (subject, public key, serial number, EKU, etc.). This is the part that is signed.&lt;\/p&gt;\\r\\n&lt;\/li&gt;\\r\\n&lt;li&gt;&lt;p&gt;&lt;i&gt;signatureAlgorithm&lt;\/i&gt; and &lt;i&gt;signatureValue&lt;\/i&gt; \u2014 These fields comprise the signature of the TBS.&lt;\/p&gt;\\r\\n&lt;\/li&gt;\\r\\n&lt;\/ul&gt;\\r\\n&quot;}}\">\n<h3><span class=\"ez-toc-section\" id=\"MD5_carpismalari_yoluyla_sertifika_sahteciligi\"><\/span><span>MD5 \u00e7arp\u0131\u015fmalar\u0131 yoluyla sertifika sahtecili\u011fi<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span>MD5 \u00e7arp\u0131\u015fmalar\u0131 bizi yakla\u015f\u0131k 14 y\u0131l \u00f6ncesine, Beyonc\u00e9&#8217;nin \u201cSingle Ladies\u201di yay\u0131nlad\u0131\u011f\u0131 zamana, Obama&#8217;n\u0131n ilk kez ba\u015fkan se\u00e7ildi\u011fi ve\u00a0\u00a0<\/span><a href=\"https:\/\/hackaday.com\/2008\/12\/30\/25c3-hackers-completely-break-ssl-using-200-ps3s\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>MD5 \u00e7arp\u0131\u015fmalar\u0131n\u0131n SSL sertifikalar\u0131n\u0131 taklit etmek i\u00e7in ilk kez kullan\u0131ld\u0131\u011f\u0131<\/span><\/a><span>\u00a0zamana g\u00f6t\u00fcr\u00fcyor .\u00a0\u0130lk sald\u0131r\u0131 ile bug\u00fcn ele ald\u0131\u011f\u0131m\u0131z senaryo aras\u0131nda \u00f6nemli bir fark var: \u00f6nceki senaryo MD5\u00a0<\/span><u><span>imzalar\u0131na<\/span><\/u><span>\u00a0sald\u0131rd\u0131 , ancak mevcut g\u00fcvenlik a\u00e7\u0131\u011f\u0131nda MD5\u00a0<\/span><u><span>parmak izleriyle<\/span><\/u><span>\u00a0u\u011fra\u015f\u0131yoruz .\u00a0Fark\u0131 anlayal\u0131m.<\/span><\/p>\n<p><a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc5280\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>RFC 5280<\/span><\/a><span>\u00a0, b\u00f6l\u00fcm 4.1&#8217;e g\u00f6re\u00a0\u00a0sertifika, iki b\u00f6l\u00fcmden olu\u015fan bir ASN.1 dizisidir (\u015eekil 6):<\/span><\/p>\n<ul>\n<li><i><span>tbsCertificate<\/span><\/i><span>\u00a0(veya &#8220;imzalanacak&#8221; sertifika) \u2014 Bu, kimlikle ilgili t\u00fcm ayr\u0131nt\u0131lar\u0131 (konu, genel anahtar, seri numaras\u0131, EKU vb.) i\u00e7eren k\u0131s\u0131md\u0131r.\u00a0Bu, imzalanan k\u0131s\u0131md\u0131r.<\/span><\/li>\n<li><i><span>imzaAlgoritmas\u0131<\/span><\/i><span>\u00a0ve\u00a0<\/span><i><span>imzaDe\u011feri<\/span><\/i><span>\u00a0\u2014 Bu alanlar, TBS&#8217;nin imzas\u0131n\u0131 olu\u015fturur.<\/span><\/li>\n<\/ul>\n<\/div>\n<\/div>\n<div class=\"prismjs aem-GridColumn aem-GridColumn--default--12\">\n<pre class=\"cmp-prismjs  language-javascript\" tabindex=\"0\" data-cmp-data-layer=\"{&quot;prismjs-e557089713&quot;:{&quot;@type&quot;:&quot;akamai\/components\/prismjs&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T03:57:50Z&quot;}}\"><code class=\" language-javascript\" data-cmp-hook-prismjs=\"code\"> Certificate  <span class=\"token operator\">:<\/span><span class=\"token operator\">:<\/span><span class=\"token operator\">=<\/span>  <span class=\"token constant\">SEQUENCE<\/span>  <span class=\"token punctuation\">{<\/span>\r\n        tbsCertificate       TBSCertificate<span class=\"token punctuation\">,<\/span>\r\n        signatureAlgorithm   AlgorithmIdentifier<span class=\"token punctuation\">,<\/span>\r\n        signatureValue       <span class=\"token constant\">BIT<\/span> <span class=\"token constant\">STRING<\/span>  <span class=\"token punctuation\">}<\/span><\/code><\/pre>\n<p><button class=\"cmp-prismjs__copy\" data-cmp-hook-prismjs=\"copy\"><span>kopyala<\/span><\/button><\/div>\n<div class=\"text text__pb-20 aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-text\" style=\"box-sizing: border-box; padding-bottom: 20px;\" data-cmp-data-layer=\"{&quot;text-4c94acbc06&quot;:{&quot;@type&quot;:&quot;akamai\/components\/text&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T04:20:43Z&quot;,&quot;xdm:text&quot;:&quot;&lt;p&gt;Fig. 6: The ASN.1 sequence that defines certificates&lt;\/p&gt;\\r\\n&lt;p&gt;A certificate &lt;i&gt;signature&lt;\/i&gt; is therefore a structure embedded inside the certificate, which only signs the TBS part of the certificate. On the other hand, a certificate &lt;i&gt;thumbprint&lt;\/i&gt; is a hash of the &lt;i&gt;entire&lt;\/i&gt; certificate (including the signature).&lt;br&gt;\\r\\n&lt;\/p&gt;\\r\\n&lt;p&gt;So, if we could modify any part of the certificate that\u2019s outside the TBS without invalidating the certificate,&lt;b&gt; then we would modify the thumbprint without changing the signature&lt;\/b&gt;. If the parser parses the signature correctly and the TBS is unchanged, then the certificate would still be considered valid and signed, even though the full certificate structure has changed (Figure 7).&lt;\/p&gt;\\r\\n&quot;}}\">\n<p><span>\u015eekil 6: Sertifikalar\u0131 tan\u0131mlayan ASN.1 dizisi<\/span><\/p>\n<p><span>Bu nedenle bir sertifika\u00a0<\/span><i><span>imzas\u0131<\/span><\/i><span>\u00a0, sertifikan\u0131n yaln\u0131zca TBS k\u0131sm\u0131n\u0131 imzalayan, sertifikan\u0131n i\u00e7ine yerle\u015ftirilmi\u015f bir yap\u0131d\u0131r.\u00a0\u00d6te yandan, bir sertifika\u00a0<\/span><i><span>parmak izi<\/span><\/i><span>\u00a0,\u00a0<\/span><i><span>t\u00fcm<\/span><\/i><span>\u00a0sertifikan\u0131n (imza dahil) bir karmas\u0131d\u0131r.<\/span><\/p>\n<p><span>Dolay\u0131s\u0131yla, sertifikan\u0131n TBS d\u0131\u015f\u0131ndaki herhangi bir b\u00f6l\u00fcm\u00fcn\u00fc sertifikay\u0131 ge\u00e7ersiz k\u0131lmadan\u00a0<\/span><b><span>de\u011fi\u015ftirebilseydik, imzay\u0131 de\u011fi\u015ftirmeden parmak izini de\u011fi\u015ftirirdik<\/span><\/b><span>\u00a0.\u00a0Ayr\u0131\u015ft\u0131r\u0131c\u0131 imzay\u0131 do\u011fru bir \u015fekilde ayr\u0131\u015ft\u0131r\u0131rsa ve TBS de\u011fi\u015fmezse, t\u00fcm sertifika yap\u0131s\u0131 de\u011fi\u015fse bile sertifika hala ge\u00e7erli ve imzalanm\u0131\u015f olarak kabul edilir (\u015eekil 7).<\/span><\/p>\n<\/div>\n<\/div>\n<div class=\"image aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-image__wrapper fixed-ratio-16-9\">\n<div class=\"cmp-image\" data-cmp-lazy=\"\" data-title=\" If the parser parses the signature correctly and the TBS is unchanged, then the certificate would still be considered valid and signed, even though the full certificate structure has changed (Figure 7).\" data-cmp-data-layer=\"{&quot;image-cd76b8686b&quot;:{&quot;@type&quot;:&quot;akamai\/components\/image&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T04:21:47Z&quot;,&quot;dc:title&quot;:&quot; If the parser parses the signature correctly and the TBS is unchanged, then the certificate would still be considered valid and signed, even though the full certificate structure has changed (Figure 7).&quot;,&quot;xdm:linkURL&quot;:&quot;\/content\/dam\/site\/en\/images\/blog\/2023\/exploiting-critical-fig7.png&quot;,&quot;image&quot;:{&quot;repo:id&quot;:&quot;550f1f23-ecf2-413b-843b-dc6e1e4b28b7&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T04:21:36Z&quot;,&quot;@type&quot;:&quot;image\/png&quot;,&quot;repo:path&quot;:&quot;\/content\/dam\/site\/en\/images\/blog\/2023\/exploiting-critical-fig7.png&quot;,&quot;xdm:tags&quot;:[]}}}\"><a class=\"cmp-image__link\" href=\"https:\/\/www.akamai.com\/site\/en\/images\/blog\/2023\/exploiting-critical-fig7.png\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-cmp-hook-image=\"link\"><img decoding=\"async\" class=\"cmp-image__image\" src=\"https:\/\/www.akamai.com\/site\/en\/images\/blog\/2023\/exploiting-critical-fig7.png\" alt=\"Ayr\u0131\u015ft\u0131r\u0131c\u0131 imzay\u0131 do\u011fru bir \u015fekilde ayr\u0131\u015ft\u0131r\u0131rsa ve TBS de\u011fi\u015fmezse, t\u00fcm sertifika yap\u0131s\u0131 de\u011fi\u015fse bile sertifika hala ge\u00e7erli ve imzalanm\u0131\u015f olarak kabul edilir (\u015eekil 7).\" data-cmp-hook-image=\"image\" title=\"\">\u00a0<\/a><span class=\"cmp-image__title\"><span>\u015eekil 7: TBS d\u0131\u015f\u0131nda eklenen veriler, sertifikan\u0131n ge\u00e7erlili\u011fini etkilemez<\/span><\/span><\/div>\n<\/div>\n<\/div>\n<div class=\"text text__pt-20 text__pb-20 aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-text\" style=\"box-sizing: border-box; padding-top: 20px; padding-bottom: 20px;\" data-cmp-data-layer=\"{&quot;text-69e491709f&quot;:{&quot;@type&quot;:&quot;akamai\/components\/text&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T04:07:59Z&quot;,&quot;xdm:text&quot;:&quot;&lt;h3&gt;MD5 chosen prefix collisions \u2014 a brief overview&lt;\/h3&gt;\\r\\n&lt;p&gt;Say you have two arbitrary strings, A and B, of the same length. Then, two strings, C and D, can be calculated efficiently, such that&lt;\/p&gt;\\r\\n&lt;table&gt;\\r\\n&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;&lt;p style=\\&quot;text-align: center;\\&quot;&gt;MD5(A || C) = MD5(B || D)&lt;\/p&gt;\\r\\n&lt;\/td&gt;\\r\\n&lt;\/tr&gt;&lt;\/tbody&gt;&lt;\/table&gt;\\r\\n&lt;p&gt;where || indicates string concatenation.&lt;\/p&gt;\\r\\n&lt;p&gt;Moreover, it is not just the final MD5 result that will be the same, but also the MD5 internal state after appending C or D. Therefore, if you take any suffix E, you would then have&lt;\/p&gt;\\r\\n&lt;table&gt;\\r\\n&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;&lt;p style=\\&quot;text-align: center;\\&quot;&gt;MD5(A || C || E) = MD5(B || D || E)&lt;\/p&gt;\\r\\n&lt;\/td&gt;\\r\\n&lt;\/tr&gt;&lt;\/tbody&gt;&lt;\/table&gt;\\r\\n&lt;p&gt;(provided the same suffix E is added on both sides).&lt;\/p&gt;\\r\\n&lt;h3&gt;Making room for collision blocks&lt;\/h3&gt;\\r\\n&lt;p&gt;As attackers, we\u2019ll need to generate a certificate that seems valid but also contains room for collision blocks (the strings C and D in the explanation above). This will enable us to create our malicious certificate (with the same MD5 thumbprint), which we will serve next.&lt;\/p&gt;\\r\\n&lt;p&gt;According to &lt;a href=\\&quot;https:\/\/www.rfc-editor.org\/rfc\/rfc5280\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noreferrer\\&quot;&gt;RFC 5280&lt;\/a&gt;, section 4.1.1.2, the structure of &lt;i&gt;signatureAlgorithm&lt;\/i&gt; is&lt;\/p&gt;\\r\\n&quot;}}\">\n<h3><span class=\"ez-toc-section\" id=\"MD5_secilmis_onek_cakismalari_%E2%80%94_kisa_bir_genel_bakis\"><\/span><span>MD5 se\u00e7ilmi\u015f \u00f6nek \u00e7ak\u0131\u015fmalar\u0131 \u2014 k\u0131sa bir genel bak\u0131\u015f<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span>Ayn\u0131 uzunlukta A ve B olmak \u00fczere iki rasgele diziniz oldu\u011funu varsayal\u0131m.\u00a0Daha sonra, iki dizi, C ve D, verimli bir \u015fekilde hesaplanabilir, \u00f6yle ki<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><span>MD5(A || C) = MD5(B || D)<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span>nerede ||\u00a0dize birle\u015ftirme g\u00f6sterir.<\/span><\/p>\n<p><span>Ayr\u0131ca, sadece nihai MD5 sonucu de\u011fil, ayn\u0131 zamanda C veya D&#8217;yi ekledikten sonra MD5&#8217;in dahili durumu da ayn\u0131 olacakt\u0131r. Bu nedenle, herhangi bir E sonekini al\u0131rsan\u0131z, o zaman<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><span>MD5(A || C || E) = MD5(B || D || E)<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span>(her iki tarafa da ayn\u0131 E ekinin eklenmesi \u015fart\u0131yla).<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Carpisma_bloklari_icin_yer_acmak\"><\/span><span>\u00c7arp\u0131\u015fma bloklar\u0131 i\u00e7in yer a\u00e7mak<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span>Sald\u0131rganlar olarak, ge\u00e7erli g\u00f6r\u00fcnen ancak ayn\u0131 zamanda \u00e7arp\u0131\u015fma bloklar\u0131 (yukar\u0131daki a\u00e7\u0131klamada C ve D dizileri) i\u00e7in yer i\u00e7eren bir sertifika olu\u015fturmam\u0131z gerekecek.\u00a0Bu, daha sonra hizmet edece\u011fimiz k\u00f6t\u00fc niyetli sertifikam\u0131z\u0131 (ayn\u0131 MD5 parmak iziyle) olu\u015fturmam\u0131z\u0131 sa\u011flayacakt\u0131r.<\/span><\/p>\n<p><a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc5280\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>RFC 5280<\/span><\/a><span>\u00a0, b\u00f6l\u00fcm 4.1.1.2&#8217;ye\u00a0g\u00f6re ,\u00a0<\/span><i><span>imza<\/span><\/i><span>\u00a0Algoritmas\u0131n\u0131n yap\u0131s\u0131 \u015fu \u015fekildedir:<\/span><\/p>\n<\/div>\n<\/div>\n<div class=\"prismjs aem-GridColumn aem-GridColumn--default--12\">\n<pre class=\"cmp-prismjs  language-javascript\" tabindex=\"0\" data-cmp-data-layer=\"{&quot;prismjs-0f4f564398&quot;:{&quot;@type&quot;:&quot;akamai\/components\/prismjs&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T03:57:42Z&quot;}}\"><code class=\" language-javascript\" data-cmp-hook-prismjs=\"code\">AlgorithmIdentifier  <span class=\"token operator\">:<\/span><span class=\"token operator\">:<\/span><span class=\"token operator\">=<\/span>  <span class=\"token constant\">SEQUENCE<\/span>  <span class=\"token punctuation\">{<\/span>\r\n        algorithm               <span class=\"token constant\">OBJECT<\/span> <span class=\"token constant\">IDENTIFIER<\/span><span class=\"token punctuation\">,<\/span>\r\n        parameters              <span class=\"token constant\">ANY<\/span> <span class=\"token constant\">DEFINED<\/span> <span class=\"token constant\">BY<\/span> algorithm <span class=\"token constant\">OPTIONAL<\/span>  <span class=\"token punctuation\">}<\/span><\/code><\/pre>\n<p><button class=\"cmp-prismjs__copy\" data-cmp-hook-prismjs=\"copy\"><span>kopyala<\/span><\/button><\/div>\n<div class=\"text text__pb-20 aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-text\" style=\"box-sizing: border-box; padding-bottom: 20px;\" data-cmp-data-layer=\"{&quot;text-77ec79f8a5&quot;:{&quot;@type&quot;:&quot;akamai\/components\/text&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T03:51:36Z&quot;,&quot;xdm:text&quot;:&quot;&lt;p&gt;The parameters field for the RSA algorithm (based on &lt;a href=\\&quot;https:\/\/www.rfc-editor.org\/rfc\/rfc3279\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noreferrer\\&quot;&gt;RFC 3279&lt;\/a&gt;) \u201cSHALL be the ASN.1 type NULL\u201d. In other words: RSA doesn\u2019t use signature parameters but instead takes NULL as value. Is it possible that CryptoAPI ignores this field for RSA signatures?&lt;\/p&gt;\\r\\n&lt;p&gt;To insert placeholder bytes to this field (as preparation for collision blocks), we tried to change its ASN.1 type from NULL to BIT STRING. Testing this against CryptoAPI as well as OpenSSL, &lt;b&gt;it works&lt;\/b&gt; \u2014 the certificate is still considered valid. The signature is unchanged and unbroken because we didn\u2019t modify the TBS. (Of course, the MD5 thumbprint does change.)&lt;\/p&gt;\\r\\n&lt;h3&gt;Certificate MD5 thumbprint collisions&lt;\/h3&gt;\\r\\n&lt;p&gt;Now, we can piece things together and provide a recipe for manipulating an existing, already-signed certificate to collide with a malicious certificate\u2019s MD5 thumbprint.&lt;\/p&gt;\\r\\n&lt;ol&gt;\\r\\n&lt;li&gt;&lt;p&gt;Take a legitimate RSA-signed end certificate, such as a website\u2019s TLS certificate (our \u201ctarget certificate\u201d).&lt;\/p&gt;\\r\\n&lt;\/li&gt;\\r\\n&lt;li&gt;&lt;p&gt;Modify any interesting fields (subject, extensions, EKU, public key, etc.) in the TBS part of the certificate to create the malicious certificate. Note: We don\u2019t touch the signature, so the malicious certificate is incorrectly signed. Modifying the public key is important here \u2014 this allows the attacker to sign as the malicious certificate.&lt;\/p&gt;\\r\\n&lt;\/li&gt;\\r\\n&lt;li&gt;&lt;p&gt;Modify the &lt;i&gt;parameters&lt;\/i&gt; field of the &lt;i&gt;signatureAlgorithm&lt;\/i&gt; field of both certificates, so that there is enough space to put MD5 collision blocks (C and D in the explanation above) starting in the same offset of both certificates.&lt;\/p&gt;\\r\\n&lt;\/li&gt;\\r\\n&lt;li&gt;&lt;p&gt;Truncate both certificates at the position where MD5 collision blocks are to be placed.&lt;\/p&gt;\\r\\n&lt;\/li&gt;\\r\\n&lt;li&gt;&lt;p&gt;Perform an MD5 chosen prefix collision computation and copy the result into the certificates.&lt;\/p&gt;\\r\\n&lt;\/li&gt;\\r\\n&lt;li&gt;&lt;p&gt;Concatenate the legitimate certificate\u2019s signature value (suffix E in the explanation above) to both incomplete certificates.&lt;\/p&gt;\\r\\n&lt;\/li&gt;\\r\\n&lt;\/ol&gt;\\r\\n&lt;h3&gt;A real-world example&lt;\/h3&gt;\\r\\n&lt;p&gt;With our understanding of MD5 collisions, we can now attempt to exploit this CVE with a real target. Among the numerous applications we checked, we were able to find a vulnerable target: Chrome v48. (This application is vulnerable simply because it passes the flag CERT_CHAIN_CACHE_END_CERT to &lt;i&gt;CertGetCertificateChain&lt;\/i&gt;.) Other Chromium-based applications from that time are also vulnerable to this CVE.&lt;\/p&gt;\\r\\n&lt;p&gt;In order for us to exploit this vulnerability we first needed to create two certificates that have the same MD5 thumbprint, which we did using &lt;a href=\\&quot;https:\/\/github.com\/cr-marcstevens\/hashclash\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noreferrer\\&quot;&gt;HashClash&lt;\/a&gt; (Figure 8).&lt;\/p&gt;\\r\\n&quot;}}\">\n<p><span>RSA algoritmas\u0131 i\u00e7in parametreler alan\u0131 (\u00a0<\/span><a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc3279\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>RFC 3279&#8217;a<\/span><\/a><span>\u00a0dayal\u0131 ) &#8220;ASN.1 tipi NULL OLMALIDIR&#8221;.\u00a0Ba\u015fka bir deyi\u015fle: RSA, imza parametrelerini kullanmaz, bunun yerine de\u011fer olarak NULL de\u011ferini al\u0131r.\u00a0CryptoAPI&#8217;nin bu alan\u0131 RSA imzalar\u0131 i\u00e7in yok saymas\u0131 m\u00fcmk\u00fcn m\u00fc?<\/span><\/p>\n<p><span>Bu alana yer tutucu baytlar eklemek i\u00e7in (\u00e7arp\u0131\u015fma bloklar\u0131na haz\u0131rl\u0131k olarak), ASN.1 t\u00fcr\u00fcn\u00fc NULL&#8217;den BIT STRING&#8217;e de\u011fi\u015ftirmeye \u00e7al\u0131\u015ft\u0131k.\u00a0Bunu OpenSSL&#8217;nin yan\u0131 s\u0131ra CryptoAPI&#8217;ye kar\u015f\u0131 test\u00a0<\/span><b><span>ederek i\u015fe yar\u0131yor<\/span><\/b><span>\u00a0&#8211; sertifika hala ge\u00e7erli kabul ediliyor.\u00a0TBS&#8217;yi de\u011fi\u015ftirmedi\u011fimiz i\u00e7in imza de\u011fi\u015fmedi ve k\u0131r\u0131lmad\u0131.\u00a0(Elbette MD5 parmak izi de\u011fi\u015fir.)<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Sertifika_MD5_parmak_izi_cakismalari\"><\/span><span>Sertifika MD5 parmak izi \u00e7ak\u0131\u015fmalar\u0131<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span>Art\u0131k par\u00e7alar\u0131 bir araya getirebilir ve mevcut, zaten imzalanm\u0131\u015f bir sertifikay\u0131 k\u00f6t\u00fc ama\u00e7l\u0131 bir sertifikan\u0131n MD5 parmak iziyle \u00e7arp\u0131\u015fmas\u0131 i\u00e7in manip\u00fcle etmek i\u00e7in bir tarif sa\u011flayabiliriz.<\/span><\/p>\n<ol>\n<li><span>Bir web sitesinin TLS sertifikas\u0131 (&#8220;hedef sertifikam\u0131z&#8221;) gibi me\u015fru bir RSA imzal\u0131 son sertifika al\u0131n.<\/span><\/li>\n<li><span>K\u00f6t\u00fc ama\u00e7l\u0131 sertifika olu\u015fturmak i\u00e7in sertifikan\u0131n TBS b\u00f6l\u00fcm\u00fcndeki ilgin\u00e7 alanlar\u0131 (konu, uzant\u0131lar, EKU, genel anahtar vb.) de\u011fi\u015ftirin.\u00a0Not: \u0130mzaya dokunmuyoruz, bu nedenle k\u00f6t\u00fc niyetli sertifika yanl\u0131\u015f imzalanm\u0131\u015f.\u00a0Genel anahtar\u0131n de\u011fi\u015ftirilmesi burada \u00f6nemlidir \u2014 bu, sald\u0131rgan\u0131n k\u00f6t\u00fc ama\u00e7l\u0131 sertifika olarak oturum a\u00e7mas\u0131na olanak tan\u0131r.<\/span><\/li>\n<li><span><i>Her iki sertifikan\u0131n imzaAlgoritmas\u0131 alan\u0131n\u0131n\u00a0<\/i><\/span><i><span>parametreler<\/span><\/i><span>\u00a0alan\u0131n\u0131\u00a0de\u011fi\u015ftirerek,\u00a0her iki sertifikan\u0131n ayn\u0131 konumundan ba\u015flayarak MD5 \u00e7arp\u0131\u015fma bloklar\u0131n\u0131 (yukar\u0131daki a\u00e7\u0131klamada C ve D) koymak i\u00e7in yeterli alan olmas\u0131n\u0131 sa\u011flay\u0131n.<\/span><i><\/i><\/li>\n<li><span>Her iki sertifikay\u0131 da MD5 \u00e7arp\u0131\u015fma bloklar\u0131n\u0131n yerle\u015ftirilece\u011fi konumda kesin.<\/span><\/li>\n<li><span>Bir MD5 se\u00e7ilen \u00f6nek \u00e7arp\u0131\u015fma hesaplamas\u0131 yap\u0131n ve sonucu sertifikalara kopyalay\u0131n.<\/span><\/li>\n<li><span>Me\u015fru sertifikan\u0131n imza de\u011ferini (yukar\u0131daki a\u00e7\u0131klamada E son eki) her iki eksik sertifikayla birle\u015ftirin.<\/span><\/li>\n<\/ol>\n<h3><span class=\"ez-toc-section\" id=\"Gercek_dunyadan_bir_ornek\"><\/span><span>Ger\u00e7ek d\u00fcnyadan bir \u00f6rnek<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span>MD5 \u00e7arp\u0131\u015fmalar\u0131na ili\u015fkin anlay\u0131\u015f\u0131m\u0131zla, art\u0131k bu CVE&#8217;den ger\u00e7ek bir hedefle yararlanmay\u0131 deneyebiliriz.\u00a0Kontrol etti\u011fimiz \u00e7ok say\u0131da uygulama aras\u0131nda savunmas\u0131z bir hedef bulabildik: Chrome v48.\u00a0(Bu uygulama, CERT_CHAIN_CACHE_END_CERT i\u015faretini\u00a0<\/span><i><span>CertGetCertificateChain&#8217;e<\/span><\/i><span>\u00a0iletti\u011fi i\u00e7in savunmas\u0131zd\u0131r .) O zamana ait di\u011fer Chromium tabanl\u0131 uygulamalar da bu CVE&#8217;ye kar\u015f\u0131 savunmas\u0131zd\u0131r.<\/span><\/p>\n<p><span>Bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan yararlanabilmemiz i\u00e7in \u00f6nce\u00a0<\/span><a href=\"https:\/\/github.com\/cr-marcstevens\/hashclash\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>HashClash<\/span><\/a><span>\u00a0kullanarak yapt\u0131\u011f\u0131m\u0131z ayn\u0131 MD5 parmak izine sahip iki sertifika olu\u015fturmam\u0131z gerekiyordu (\u015eekil 8).<\/span><\/p>\n<\/div>\n<\/div>\n<div class=\"image aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-image__wrapper fixed-ratio-16-9\">\n<div class=\"cmp-image\" data-cmp-lazy=\"\" data-title=\"In order for us to exploit this vulnerability we first needed to create two certificates that have the same MD5 thumbprint, which we did using HashClash (Figure 8).\" data-cmp-data-layer=\"{&quot;image-3035611dab&quot;:{&quot;@type&quot;:&quot;akamai\/components\/image&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T04:22:54Z&quot;,&quot;dc:title&quot;:&quot;In order for us to exploit this vulnerability we first needed to create two certificates that have the same MD5 thumbprint, which we did using HashClash (Figure 8).&quot;,&quot;xdm:linkURL&quot;:&quot;\/content\/dam\/site\/en\/images\/blog\/2023\/exploiting-critical-fig8.png&quot;,&quot;image&quot;:{&quot;repo:id&quot;:&quot;298428a5-5f84-4e4e-92cf-305c4b3ca569&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T04:22:43Z&quot;,&quot;@type&quot;:&quot;image\/png&quot;,&quot;repo:path&quot;:&quot;\/content\/dam\/site\/en\/images\/blog\/2023\/exploiting-critical-fig8.png&quot;,&quot;xdm:tags&quot;:[]}}}\"><a class=\"cmp-image__link\" href=\"https:\/\/www.akamai.com\/site\/en\/images\/blog\/2023\/exploiting-critical-fig8.png\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-cmp-hook-image=\"link\"><img decoding=\"async\" class=\"cmp-image__image\" src=\"https:\/\/www.akamai.com\/site\/en\/images\/blog\/2023\/exploiting-critical-fig8.png\" alt=\"Bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan yararlanabilmemiz i\u00e7in \u00f6nce HashClash kullanarak yapt\u0131\u011f\u0131m\u0131z ayn\u0131 MD5 parmak izine sahip iki sertifika olu\u015fturmam\u0131z gerekiyordu (\u015eekil 8).\" data-cmp-hook-image=\"image\" title=\"\">\u00a0<\/a><span class=\"cmp-image__title\"><span>\u015eekil 8: Se\u00e7ilen \u00f6nek \u00e7ak\u0131\u015fmas\u0131n\u0131 kullanarak ayn\u0131 MD5 parmak izine sahip iki sertifika olu\u015fturma<\/span><\/span><\/div>\n<\/div>\n<\/div>\n<div class=\"text aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-text\" style=\"box-sizing: border-box;\" data-cmp-data-layer=\"{&quot;text-54b1385a95&quot;:{&quot;@type&quot;:&quot;akamai\/components\/text&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T15:19:11Z&quot;,&quot;xdm:text&quot;:&quot;&lt;p&gt;We then had to find a way to inject our modified target certificate to Chrome\u2019s cache. This was tricky to do since it is impossible to serve a certificate without knowing its private key.&lt;\/p&gt;\\n&lt;p&gt;In TLS 1.2, there are two relevant verification stages:&lt;\/p&gt;\\n&lt;ol&gt;\\n&lt;li&gt;&lt;p&gt;The &lt;a href=\\&quot;https:\/\/tls12.xargs.org\/#server-key-exchange\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noreferrer\\&quot;&gt;Server Key Exchange&lt;\/a&gt; message \u2014 this message can only be constructed by someone who knows the certificate\u2019s private key, since it's signed by the certificate&lt;\/p&gt;\\n&lt;\/li&gt;\\n&lt;li&gt;&lt;p&gt;The &lt;a href=\\&quot;https:\/\/tls12.xargs.org\/#server-handshake-finished\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noreferrer\\&quot;&gt;Server Handshake Finished&lt;\/a&gt; message \u2014 this message includes an anti-tamper verification of all previous handshake messages&lt;\/p&gt;\\n&lt;\/li&gt;\\n&lt;\/ol&gt;\\n&lt;p&gt;(TLS 1.3 is different and we did not focus on it.)&lt;\/p&gt;\\n&lt;p&gt;Remember, at the first phase of the attack we want to inject the modified certificate into Chrome's end certificate cache.&lt;\/p&gt;\\n&lt;p&gt;Using a Python script as a proxy, we carry out a machine-in-the-middle (MITM) attack:&lt;\/p&gt;\\n&lt;ol&gt;\\n&lt;li&gt;&lt;p&gt;Our malicious MITM server talks with the real server and reflects the first messages of the TLS handshake to the victim.&lt;\/p&gt;\\n&lt;\/li&gt;\\n&lt;li&gt;&lt;p&gt;In the Server Certificate message, our malicious MITM server modifies the real server's message and replaces the real target certificate with the modified certificate.&lt;\/p&gt;\\n&lt;\/li&gt;\\n&lt;li&gt;&lt;p&gt;The Server Key Exchange message can be reflected without changes.&lt;\/p&gt;\\n&lt;\/li&gt;\\n&lt;li&gt;&lt;p&gt;Our malicious server cannot simply forward the Server Handshake Finished message, because the handshake was indeed tampered with. Thus, we terminate the connection.&lt;\/p&gt;\\n&lt;\/li&gt;\\n&lt;\/ol&gt;\\n&lt;p&gt;In order to verify the Server Key Exchange message, Chrome must load the modified certificate with CryptoAPI and, therefore, it would be injected into the cache. Chrome doesn't treat the broken connection as a TLS security issue \u2014 it could be just a random network issue. Chrome tries to reconnect, and this time, instead of reflecting messages from the real website, the malicious server will serve a website with the malicious certificate. Chrome will skip the full verification process because it thinks the certificate is already in the cache. The result will be a seamless site visit to a seemingly legitimate Microsoft website (Figures 9 and 10). The full exploitation flow can be seen in &lt;a rel=\\&quot;nofollow noreferrer\\&quot; href=\\&quot;https:\/\/user-images.githubusercontent.com\/114926055\/214040642-beb765f7-4788-45e8-836c-a08dc441b5b4.mp4\\&quot; target=\\&quot;_blank\\&quot;&gt;our video&lt;\/a&gt;.&lt;\/p&gt;\\n&quot;}}\">\n<p><span>Ard\u0131ndan, de\u011fi\u015ftirilmi\u015f hedef sertifikam\u0131z\u0131 Chrome&#8217;un \u00f6nbelle\u011fine eklemenin bir yolunu bulmam\u0131z gerekiyordu.\u00a0\u00d6zel anahtar\u0131n\u0131 bilmeden bir sertifika sunmak imkans\u0131z oldu\u011fu i\u00e7in bunu yapmak zordu.<\/span><\/p>\n<p><span>TLS 1.2&#8217;de iki ilgili do\u011frulama a\u015famas\u0131 vard\u0131r:<\/span><\/p>\n<ol>\n<li><span><a href=\"https:\/\/sunucucozumleri.com\/blog\/frontpage\/\">Sunucu<\/a>\u00a0<\/span><a href=\"https:\/\/tls12.xargs.org\/#server-key-exchange\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>Anahtar\u0131 De\u011fi\u015fim<\/span><\/a><span>\u00a0mesaj\u0131 \u2014 bu mesaj, sertifika taraf\u0131ndan imzaland\u0131\u011f\u0131ndan, yaln\u0131zca sertifikan\u0131n \u00f6zel anahtar\u0131n\u0131 bilen biri taraf\u0131ndan olu\u015fturulabilir.<\/span><\/li>\n<li><span>Sunucu\u00a0<\/span><a href=\"https:\/\/tls12.xargs.org\/#server-handshake-finished\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>Anla\u015fmas\u0131 Tamamland\u0131<\/span><\/a><span>\u00a0mesaj\u0131 \u2014 bu mesaj, \u00f6nceki t\u00fcm anla\u015fma mesajlar\u0131n\u0131n kurcalamaya kar\u015f\u0131 koruma do\u011frulamas\u0131n\u0131 i\u00e7erir<\/span><\/li>\n<\/ol>\n<p><span>(TLS 1.3 farkl\u0131d\u0131r ve biz buna odaklanmad\u0131k.)<\/span><\/p>\n<p><span>Sald\u0131r\u0131n\u0131n ilk a\u015famas\u0131nda, de\u011fi\u015ftirilmi\u015f sertifikay\u0131 Chrome&#8217;un son sertifika \u00f6nbelle\u011fine enjekte etmek istedi\u011fimizi unutmay\u0131n.<\/span><\/p>\n<p><span>Bir <a href=\"https:\/\/sunucucozumleri.com\/blog\/python-nedir\/\">Python<\/a> beti\u011fini <a href=\"https:\/\/sunucucozumleri.com\/blog\/073-proxy-nedir-proxy-nasil-kullanilabilir\/\">proxy<\/a> olarak kullanarak, bir ortadaki makine (MITM) sald\u0131r\u0131s\u0131 ger\u00e7ekle\u015ftiriyoruz:<\/span><\/p>\n<ol>\n<li><span>K\u00f6t\u00fc ama\u00e7l\u0131 MITM sunucumuz ger\u00e7ek sunucu ile konu\u015fur ve TLS el s\u0131k\u0131\u015fmas\u0131n\u0131n ilk mesajlar\u0131n\u0131 kurbana yans\u0131t\u0131r.<\/span><\/li>\n<li><span>Sunucu Sertifikas\u0131 mesaj\u0131nda, k\u00f6t\u00fc ama\u00e7l\u0131 MITM sunucumuz ger\u00e7ek sunucunun mesaj\u0131n\u0131 de\u011fi\u015ftirir ve ger\u00e7ek hedef sertifikay\u0131 de\u011fi\u015ftirilmi\u015f sertifika ile de\u011fi\u015ftirir.<\/span><\/li>\n<li><span>Sunucu Anahtar\u0131 De\u011fi\u015fimi mesaj\u0131 de\u011fi\u015fiklik yap\u0131lmadan yans\u0131t\u0131labilir.<\/span><\/li>\n<li><span>K\u00f6t\u00fc niyetli sunucumuz, Sunucu Anla\u015fmas\u0131 Tamamland\u0131 mesaj\u0131n\u0131 basit\u00e7e iletemez, \u00e7\u00fcnk\u00fc anla\u015fma ger\u00e7ekten de kurcalanm\u0131\u015ft\u0131r.\u00a0B\u00f6ylece ba\u011flant\u0131y\u0131 sonland\u0131r\u0131yoruz.<\/span><\/li>\n<\/ol>\n<p><span>Sunucu Anahtar\u0131 De\u011fi\u015fimi mesaj\u0131n\u0131 do\u011frulamak i\u00e7in Chrome&#8217;un de\u011fi\u015ftirilen sertifikay\u0131 CryptoAPI ile y\u00fcklemesi gerekir ve bu nedenle \u00f6nbelle\u011fe enjekte edilir.\u00a0Chrome, kopan ba\u011flant\u0131y\u0131 bir TLS g\u00fcvenlik sorunu olarak ele almaz; bu yaln\u0131zca rastgele bir a\u011f sorunu olabilir.\u00a0Chrome yeniden ba\u011flanmaya \u00e7al\u0131\u015f\u0131r ve bu sefer k\u00f6t\u00fc niyetli sunucu, ger\u00e7ek web sitesinden gelen mesajlar\u0131 yans\u0131tmak yerine, k\u00f6t\u00fc ama\u00e7l\u0131 sertifikaya sahip bir web sitesine hizmet verir.\u00a0Chrome, sertifikan\u0131n zaten \u00f6nbellekte oldu\u011funu d\u00fc\u015f\u00fcnd\u00fc\u011f\u00fc i\u00e7in tam do\u011frulama s\u00fcrecini atlayacakt\u0131r.\u00a0Sonu\u00e7, me\u015fru g\u00f6r\u00fcnen bir Microsoft web sitesine sorunsuz bir site ziyareti olacakt\u0131r (\u015eekil 9 ve 10).\u00a0<\/span><a href=\"https:\/\/user-images.githubusercontent.com\/114926055\/214040642-beb765f7-4788-45e8-836c-a08dc441b5b4.mp4\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>Tam kullan\u0131m ak\u0131\u015f\u0131 videomuzda<\/span><\/a><span>\u00a0g\u00f6r\u00fclebilir\u00a0.<\/span><\/p>\n<\/div>\n<\/div>\n<div class=\"image aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-image__wrapper fixed-ratio-16-9\">\n<div class=\"cmp-image\" data-cmp-lazy=\"\" data-title=\"Seamless site visit to a seemingly legitimate Microsoft website (Figures 9 and 10).\" data-cmp-data-layer=\"{&quot;image-ce464e33e5&quot;:{&quot;@type&quot;:&quot;akamai\/components\/image&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T04:23:58Z&quot;,&quot;dc:title&quot;:&quot;Seamless site visit to a seemingly legitimate Microsoft website (Figures 9 and 10).&quot;,&quot;xdm:linkURL&quot;:&quot;\/content\/dam\/site\/en\/images\/blog\/2023\/exploiting-critical-fig9.png&quot;,&quot;image&quot;:{&quot;repo:id&quot;:&quot;24b842af-4b21-4f61-a5ac-bb83a8d6840c&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T04:23:49Z&quot;,&quot;@type&quot;:&quot;image\/png&quot;,&quot;repo:path&quot;:&quot;\/content\/dam\/site\/en\/images\/blog\/2023\/exploiting-critical-fig9.png&quot;,&quot;xdm:tags&quot;:[]}}}\"><a class=\"cmp-image__link\" href=\"https:\/\/www.akamai.com\/site\/en\/images\/blog\/2023\/exploiting-critical-fig9.png\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-cmp-hook-image=\"link\"><img decoding=\"async\" class=\"cmp-image__image\" src=\"https:\/\/www.akamai.com\/site\/en\/images\/blog\/2023\/exploiting-critical-fig9.png\" alt=\"Me\u015fru g\u00f6r\u00fcnen bir Microsoft web sitesine kesintisiz site ziyareti (\u015eekil 9 ve 10).\" data-cmp-hook-image=\"image\" title=\"\">\u00a0<\/a><span class=\"cmp-image__title\"><span>\u015eekil 9: Chrome v48&#8217;de tam sald\u0131r\u0131 ak\u0131\u015f\u0131<\/span><\/span><\/div>\n<\/div>\n<\/div>\n<div class=\"section aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-section  \" data-cmp-data-layer=\"{&quot;section-4151f2461f&quot;:{&quot;@type&quot;:&quot;akamai\/components\/section&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T03:33:24Z&quot;}}\">\n<div class=\"cmp-section__row  cmp-section__1-columns\">\n<div class=\"cmp-section__row-wrapper  \">\n<div class=\"columns column-1 single-col-full-width \"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"image aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-image__wrapper fixed-ratio-16-9\">\n<div class=\"cmp-image\" data-cmp-lazy=\"\" data-title=\"Malicious certificate\" data-cmp-data-layer=\"{&quot;image-09fdcbd5c0&quot;:{&quot;@type&quot;:&quot;akamai\/components\/image&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T04:24:46Z&quot;,&quot;dc:title&quot;:&quot;Malicious certificate&quot;,&quot;xdm:linkURL&quot;:&quot;\/content\/dam\/site\/en\/images\/blog\/2023\/exploiting-critical-fig10.png&quot;,&quot;image&quot;:{&quot;repo:id&quot;:&quot;977d011d-fceb-4869-a742-08ffdb5ecd5c&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T04:24:36Z&quot;,&quot;@type&quot;:&quot;image\/png&quot;,&quot;repo:path&quot;:&quot;\/content\/dam\/site\/en\/images\/blog\/2023\/exploiting-critical-fig10.png&quot;,&quot;xdm:tags&quot;:[]}}}\"><a class=\"cmp-image__link\" href=\"https:\/\/www.akamai.com\/site\/en\/images\/blog\/2023\/exploiting-critical-fig10.png\" data-cmp-hook-image=\"link\" rel=\"nofollow noopener\" target=\"_blank\"><img decoding=\"async\" class=\"cmp-image__image\" src=\"https:\/\/www.akamai.com\/site\/en\/images\/blog\/2023\/exploiting-critical-fig10.png\" alt=\"K\u00f6t\u00fc ama\u00e7l\u0131 sertifika\" data-cmp-hook-image=\"image\" title=\"\">\u00a0<\/a><span class=\"cmp-image__title\"><span>\u015eekil 10: G\u00fcvenlik a\u00e7\u0131\u011f\u0131 bulunan Chrome, k\u00f6t\u00fc ama\u00e7l\u0131 sertifikam\u0131za g\u00fcveniyor<\/span><\/span><\/div>\n<\/div>\n<\/div>\n<div class=\"text text__pt-20 text__pb-20 aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-text\" style=\"box-sizing: border-box; padding-top: 20px; padding-bottom: 20px;\" data-cmp-data-layer=\"{&quot;text-894e0b5ecb&quot;:{&quot;@type&quot;:&quot;akamai\/components\/text&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T03:51:59Z&quot;,&quot;xdm:text&quot;:&quot;&lt;h2&gt;Detection&lt;\/h2&gt;\\r\\n&lt;p&gt;We provide an OSQuery to detect vulnerable versions of crypt32.dll, the vulnerable library (Figure 11). &lt;b&gt;Akamai Guardicore Segmentation customers can use the Insight feature together with this query to search for vulnerable assets&lt;\/b&gt;.&lt;\/p&gt;\\r\\n&lt;p&gt;Keep in mind that for an asset to be vulnerable it needs to have an unpatched version of crypt32.dll and run a vulnerable application. (To this day, we\u2019ve only found Chrome v48 to be vulnerable.)&lt;\/p&gt;\\r\\n&quot;}}\">\n<h2><span class=\"ez-toc-section\" id=\"Tespit_etme\"><\/span><span>Tespit etme<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span>G\u00fcvenlik a\u00e7\u0131\u011f\u0131 bulunan kitapl\u0131k olan crypt32.dll dosyas\u0131n\u0131n g\u00fcvenlik a\u00e7\u0131\u011f\u0131 bulunan s\u00fcr\u00fcmlerini alg\u0131lamak i\u00e7in bir OSQuery sa\u011fl\u0131yoruz (\u015eekil 11).\u00a0<\/span><b><span>Akamai Guardicore Segmentation m\u00fc\u015fterileri, savunmas\u0131z varl\u0131klar\u0131 aramak i\u00e7in bu sorguyla birlikte Insight \u00f6zelli\u011fini kullanabilir<\/span><\/b><span>\u00a0.<\/span><\/p>\n<p><span>Bir varl\u0131\u011f\u0131n savunmas\u0131z olmas\u0131 i\u00e7in crypt32.dll&#8217;nin yamas\u0131z bir s\u00fcr\u00fcm\u00fcne sahip olmas\u0131 ve savunmas\u0131z bir uygulama \u00e7al\u0131\u015ft\u0131rmas\u0131 gerekti\u011fini unutmay\u0131n.\u00a0(Bug\u00fcne kadar yaln\u0131zca Chrome v48&#8217;in savunmas\u0131z oldu\u011funu g\u00f6rd\u00fck.)<\/span><\/p>\n<\/div>\n<\/div>\n<div class=\"prismjs aem-GridColumn aem-GridColumn--default--12\">\n<pre class=\"cmp-prismjs  language-sql\" tabindex=\"0\" data-cmp-data-layer=\"{&quot;prismjs-df2e9bad40&quot;:{&quot;@type&quot;:&quot;akamai\/components\/prismjs&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T03:35:57Z&quot;}}\"><code class=\" language-sql\" data-cmp-hook-prismjs=\"code\"><span class=\"token keyword\">WITH<\/span> product_version <span class=\"token keyword\">AS<\/span> <span class=\"token punctuation\">(<\/span>\r\n  <span class=\"token keyword\">WITH<\/span> os_minor <span class=\"token keyword\">AS<\/span> <span class=\"token punctuation\">(<\/span>\r\n    <span class=\"token keyword\">WITH<\/span> os_major <span class=\"token keyword\">AS<\/span> <span class=\"token punctuation\">(<\/span>\r\n      <span class=\"token keyword\">SELECT<\/span> substr<span class=\"token punctuation\">(<\/span>product_version<span class=\"token punctuation\">,<\/span> <span class=\"token number\">0<\/span><span class=\"token punctuation\">,<\/span> instr<span class=\"token punctuation\">(<\/span>product_version<span class=\"token punctuation\">,<\/span> <span class=\"token string\">\".\"<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token keyword\">as<\/span> os_major<span class=\"token punctuation\">,<\/span> substr<span class=\"token punctuation\">(<\/span>product_version<span class=\"token punctuation\">,<\/span> instr<span class=\"token punctuation\">(<\/span>product_version<span class=\"token punctuation\">,<\/span> <span class=\"token string\">\".\"<\/span><span class=\"token punctuation\">)<\/span><span class=\"token operator\">+<\/span><span class=\"token number\">1<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token keyword\">as<\/span> no_os_major_substr\r\n      <span class=\"token keyword\">FROM<\/span> <span class=\"token keyword\">file<\/span>\r\n      <span class=\"token keyword\">WHERE<\/span> path <span class=\"token operator\">=<\/span> <span class=\"token string\">\"c:\\windows\\system32\\crypt32.dll\"<\/span>\r\n    <span class=\"token punctuation\">)<\/span>\r\n    <span class=\"token keyword\">SELECT<\/span> substr<span class=\"token punctuation\">(<\/span>no_os_major_substr<span class=\"token punctuation\">,<\/span> instr<span class=\"token punctuation\">(<\/span>no_os_major_substr<span class=\"token punctuation\">,<\/span> <span class=\"token string\">\".\"<\/span><span class=\"token punctuation\">)<\/span><span class=\"token operator\">+<\/span><span class=\"token number\">1<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token keyword\">as<\/span> no_os_minor_substr<span class=\"token punctuation\">,<\/span> substr<span class=\"token punctuation\">(<\/span>no_os_major_substr<span class=\"token punctuation\">,<\/span> <span class=\"token number\">0<\/span><span class=\"token punctuation\">,<\/span> instr<span class=\"token punctuation\">(<\/span>no_os_major_substr<span class=\"token punctuation\">,<\/span> <span class=\"token string\">\".\"<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token keyword\">as<\/span> os_minor<span class=\"token punctuation\">,<\/span> os_major\r\n    <span class=\"token keyword\">FROM<\/span> os_major\r\n  <span class=\"token punctuation\">)<\/span>\r\n  <span class=\"token keyword\">SELECT<\/span>\r\n    CAST<span class=\"token punctuation\">(<\/span>substr<span class=\"token punctuation\">(<\/span>no_os_minor_substr<span class=\"token punctuation\">,<\/span> instr<span class=\"token punctuation\">(<\/span>no_os_minor_substr<span class=\"token punctuation\">,<\/span> <span class=\"token string\">\".\"<\/span><span class=\"token punctuation\">)<\/span><span class=\"token operator\">+<\/span><span class=\"token number\">1<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token keyword\">AS<\/span> <span class=\"token keyword\">INTEGER<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token keyword\">AS<\/span> product_minor<span class=\"token punctuation\">,<\/span>\r\n    CAST<span class=\"token punctuation\">(<\/span>substr<span class=\"token punctuation\">(<\/span>no_os_minor_substr<span class=\"token punctuation\">,<\/span> <span class=\"token number\">0<\/span><span class=\"token punctuation\">,<\/span> instr<span class=\"token punctuation\">(<\/span>no_os_minor_substr<span class=\"token punctuation\">,<\/span> <span class=\"token string\">\".\"<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token keyword\">AS<\/span> <span class=\"token keyword\">INTEGER<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token keyword\">AS<\/span> product_major<span class=\"token punctuation\">,<\/span>\r\n    CAST<span class=\"token punctuation\">(<\/span>os_minor <span class=\"token keyword\">AS<\/span> <span class=\"token keyword\">INTEGER<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token keyword\">AS<\/span> os_minor<span class=\"token punctuation\">,<\/span>\r\n    CAST<span class=\"token punctuation\">(<\/span>os_major <span class=\"token keyword\">AS<\/span> <span class=\"token keyword\">INTEGER<\/span><span class=\"token punctuation\">)<\/span> <span class=\"token keyword\">AS<\/span> os_major\r\n  <span class=\"token keyword\">FROM<\/span> os_minor\r\n<span class=\"token punctuation\">)<\/span>\r\n<span class=\"token keyword\">SELECT<\/span>\r\n  <span class=\"token keyword\">CASE<\/span> \r\n    <span class=\"token keyword\">WHEN<\/span> os_major <span class=\"token operator\">=<\/span> <span class=\"token number\">6<\/span> <span class=\"token operator\">AND<\/span> os_minor <span class=\"token operator\">=<\/span> <span class=\"token number\">3<\/span> <span class=\"token keyword\">THEN<\/span> <span class=\"token string\">\"not supported\"<\/span>\r\n    <span class=\"token keyword\">WHEN<\/span> <span class=\"token punctuation\">(<\/span>\r\n        <span class=\"token punctuation\">(<\/span>product_major <span class=\"token operator\">=<\/span> <span class=\"token number\">20348<\/span> <span class=\"token operator\">AND<\/span> product_minor <span class=\"token operator\">&gt;=<\/span> <span class=\"token number\">887<\/span><span class=\"token punctuation\">)<\/span>\r\n        <span class=\"token operator\">OR<\/span>\r\n        <span class=\"token punctuation\">(<\/span>product_major <span class=\"token operator\">=<\/span> <span class=\"token number\">17763<\/span> <span class=\"token operator\">AND<\/span> product_minor <span class=\"token operator\">&gt;=<\/span> <span class=\"token number\">3287<\/span><span class=\"token punctuation\">)<\/span>\r\n        <span class=\"token operator\">OR<\/span>\r\n        <span class=\"token punctuation\">(<\/span>product_major <span class=\"token operator\">=<\/span> <span class=\"token number\">14393<\/span> <span class=\"token operator\">AND<\/span> product_minor <span class=\"token operator\">&gt;=<\/span> <span class=\"token number\">5291<\/span><span class=\"token punctuation\">)<\/span>\r\n        <span class=\"token operator\">OR<\/span>\r\n        <span class=\"token punctuation\">(<\/span>product_major <span class=\"token operator\">&gt;=<\/span> <span class=\"token number\">19041<\/span> <span class=\"token operator\">AND<\/span> product_minor <span class=\"token operator\">&gt;=<\/span> <span class=\"token number\">1889<\/span><span class=\"token punctuation\">)<\/span>\r\n    <span class=\"token punctuation\">)<\/span>\r\n    <span class=\"token keyword\">THEN<\/span>\r\n      <span class=\"token string\">\"patched\"<\/span>\r\n    <span class=\"token keyword\">ELSE<\/span>\r\n      <span class=\"token string\">\"not patched\"<\/span>\r\n  <span class=\"token keyword\">END<\/span> is_patched\r\n<span class=\"token keyword\">FROM<\/span> product_version<\/code><\/pre>\n<p><button class=\"cmp-prismjs__copy\" data-cmp-hook-prismjs=\"copy\"><span>kopyala<\/span><\/button><\/div>\n<div class=\"text text__pt-20 text__pb-20 aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"cmp-text\" style=\"box-sizing: border-box; padding-top: 20px; padding-bottom: 20px;\" data-cmp-data-layer=\"{&quot;text-1e96e2ebad&quot;:{&quot;@type&quot;:&quot;akamai\/components\/text&quot;,&quot;repo:modifyDate&quot;:&quot;2023-01-25T15:18:33Z&quot;,&quot;xdm:text&quot;:&quot;&lt;h2&gt;Conclusion&lt;br&gt;\\n&lt;\/h2&gt;\\n&lt;p&gt;Certificates play a major role in identity verification online, making this vulnerability lucrative for attackers. But although it was marked critical, the vulnerability was only given a CVSS score of 7.5. We believe this is due to the limited scope of vulnerable applications and Windows components in which the vulnerability prerequisites are met.&lt;\/p&gt;\\n&lt;p&gt;That being said, there is still a lot of code that uses this API and might be exposed to this vulnerability, warranting a patch even for discontinued versions of Windows, like Windows 7.&lt;\/p&gt;\\n&lt;p&gt;We advise you to patch your Windows servers and endpoints with the latest security patch released by Microsoft. For developers, another option to mitigate this vulnerability is to use other WinAPIs to double-check the validity of a certificate before using it, such as &lt;i&gt;CertVerifyCertificateChainPolicy&lt;\/i&gt;. Keep in mind that applications that do not use end-certificate caching are not vulnerable.&lt;\/p&gt;\\n&lt;p&gt;Our PoC code can be found in our &lt;a rel=\\&quot;nofollow noreferrer\\&quot; href=\\&quot;https:\/\/github.com\/akamai\/akamai-security-research\/tree\/main\/PoCs\/CVE-2022-34689\\&quot; target=\\&quot;_blank\\&quot;&gt;GitHub repository.&lt;\/a&gt; You can also keep up to date with all Akamai Security Research publications via our Twitter account.&lt;\/p&gt;\\n&quot;}}\">\n<h2><span class=\"ez-toc-section\" id=\"Cozum\"><\/span><span>\u00c7\u00f6z\u00fcm<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span>Sertifikalar, \u00e7evrimi\u00e7i kimlik do\u011frulamas\u0131nda \u00f6nemli bir rol oynar ve bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 sald\u0131rganlar i\u00e7in kazan\u00e7l\u0131 hale getirir.\u00a0Ancak kritik olarak i\u015faretlenmesine ra\u011fmen, g\u00fcvenlik a\u00e7\u0131\u011f\u0131na yaln\u0131zca 7,5&#8217;lik bir CVSS puan\u0131 verildi.\u00a0Bunun, g\u00fcvenlik a\u00e7\u0131\u011f\u0131 \u00f6nko\u015fullar\u0131n\u0131n kar\u015f\u0131land\u0131\u011f\u0131 g\u00fcvenlik a\u00e7\u0131\u011f\u0131 bulunan uygulamalar\u0131n ve Windows bile\u015fenlerinin s\u0131n\u0131rl\u0131 kapsam\u0131ndan kaynakland\u0131\u011f\u0131na inan\u0131yoruz.<\/span><\/p>\n<p><span>Bununla birlikte, bu API&#8217;yi kullanan ve bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131na maruz kalabilecek \u00e7ok say\u0131da kod oldu\u011fu s\u00f6yleniyor ve Windows 7 gibi Windows&#8217;un durdurulan s\u00fcr\u00fcmleri i\u00e7in bile bir d\u00fczeltme eki garanti ediliyor.<\/span><\/p>\n<p><span>Windows sunucular\u0131n\u0131z\u0131 ve u\u00e7 noktalar\u0131n\u0131z\u0131 Microsoft taraf\u0131ndan yay\u0131nlanan en son g\u00fcvenlik yamas\u0131 ile yamalaman\u0131z\u0131 tavsiye ederiz.\u00a0Geli\u015ftiriciler i\u00e7in, bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 hafifletmek i\u00e7in ba\u015fka bir se\u00e7enek, bir sertifikay\u0131 kullanmadan \u00f6nce CertVerifyCertificateChainPolicy gibi di\u011fer\u00a0<\/span><i><span>WinAPI&#8217;leri<\/span><\/i><span>\u00a0kullanarak bir sertifikan\u0131n ge\u00e7erlili\u011fini iki kez kontrol etmektir .\u00a0Son sertifika \u00f6nbelle\u011fini kullanmayan uygulamalar\u0131n savunmas\u0131z olmad\u0131\u011f\u0131n\u0131 unutmay\u0131n.<\/span><\/p>\n<p><a href=\"https:\/\/github.com\/akamai\/akamai-security-research\/tree\/main\/PoCs\/CVE-2022-34689\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>PoC kodumuz GitHub<\/span><\/a><span>\u00a0depomuzda bulunabilir .\u00a0Akamai Security Research yay\u0131nlar\u0131n\u0131n t\u00fcm\u00fcn\u00fc Twitter hesab\u0131m\u0131z \u00fczerinden de takip edebilirsiniz.<\/span><\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Tomer Peled ve Yoni Rozenshein taraf\u0131ndan Tricia Howard&#8217;\u0131n editoryal ve ek katk\u0131lar\u0131 Y\u00f6netici \u00d6zeti Akamai G\u00fcvenlik Ara\u015ft\u0131rmas\u0131, yak\u0131n zamanda Ulusal G\u00fcvenlik Ajans\u0131 (NSA) ve Ulusal Siber G\u00fcvenlik Merkezi (NCSC) taraf\u0131ndan Microsoft&#8217;a if\u015fa edilen Windows CryptoAPI&#8217;deki kritik bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 analiz etti. CVE-2022-34689\u00a0olarak atanan g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n\u00a0CVSS puan\u0131 7,5&#8217;tir.\u00a0A\u011fustos 2022&#8217;de yama yap\u0131ld\u0131, ancak Sal\u0131 Ekim 2022 Yamas\u0131&#8217;nda &hellip;<\/p>\n","protected":false},"author":1,"featured_media":2636,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[14],"tags":[],"class_list":["post-2635","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-haberler"],"acf":[],"_links":{"self":[{"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/posts\/2635","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/comments?post=2635"}],"version-history":[{"count":0,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/posts\/2635\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/media\/2636"}],"wp:attachment":[{"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/media?parent=2635"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/categories?post=2635"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/tags?post=2635"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}