SB2020042731 - Authentication bypass in OpenDMARC
Published: April 27, 2020 Updated: April 30, 2021
Security Bulletin ID
SB2020042731
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Authentication Bypass by Spoofing (CVE-ID: CVE-2019-20790)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists in OpenDMARC when used with pypolicyd-spf 2.0.2 when processing headers added by previous SPF filters. A remote attacker can bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.
Remediation
Install update from vendor's website.
References
- https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816
- https://sourceforge.net/p/opendmarc/tickets/235/
- https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf
- https://github.com/trusteddomainproject/OpenDMARC/releases/tag/rel-opendmarc-1-4-1
- https://github.com/trusteddomainproject/OpenDMARC/blob/master/SECURITY/CVE-2019-20790