Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix multiple addresses in From vulnerability #48

Open
wants to merge 1 commit into
base: master
from

Conversation

@panpilkarz
Copy link

commented Jul 30, 2019

This PR fixes vulnerability that allows opendmarc to pass as example.com since spf and dkim were not example.com in the following example:

Input:

From: Support <support@example.com>, Support <support@thedomain.com>
Authentication-Results: mail.example.com; spf=pass smtp.mailfrom=notify@seconddomain.com
Authentication-Results: mail.example.com; dkim=pass (1024-bit key) header.d=thedomain.com header.i=@thedomain.com header.b=\"xxxx\""

Output:

Authentication-Results: mail.example.com; dmarc=pass (p=quarantine dis=none) header.from=example.com
@wioxjk

This comment has been minimized.

Copy link

commented Sep 11, 2019

Thanks @panpilkarz

Let's hope that someone from trusteddomainproject is reacting to this,

@AntiFreeze

@Bluewind

This comment has been minimized.

Copy link

commented Sep 11, 2019

In light of https://tools.ietf.org/html/rfc7489#section-6.6.1 this looks way too simple. From a quick look I'd say that the proposed fix only parses the first domain and it does not parse/verify each domain as specified in the RFC.

uqs pushed a commit to freebsd/freebsd-ports that referenced this pull request Sep 15, 2019
pi
mail/opendmarc: fix multiple addresses in From vulnerability
- please note that it might only be a partial fix, see
  trusteddomainproject/OpenDMARC#48 (comment)

PR:		240505
Reported by:	protonmail
Approved by:	ports-secteam (delphij)
Obtained from:	trusteddomainproject/OpenDMARC#48
MFH:		2019Q3
Security:	https://protonmail.com/blog/bellingcat-cyberattack-phishing/


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@512093 35697150-7ecd-e111-bb59-0022644237b5
uqs pushed a commit to freebsd/freebsd-ports that referenced this pull request Sep 15, 2019
MFH: r512093
mail/opendmarc: fix multiple addresses in From vulnerability

- please note that it might only be a partial fix, see
  trusteddomainproject/OpenDMARC#48 (comment)

PR:		240505
Reported by:	protonmail
Approved by:	ports-secteam (delphij)
Obtained from:	trusteddomainproject/OpenDMARC#48
Security:	https://protonmail.com/blog/bellingcat-cyberattack-phishing/
uqs pushed a commit to freebsd/freebsd-ports that referenced this pull request Sep 15, 2019
mail/opendmarc: fix multiple addresses in From vulnerability
- please note that it might only be a partial fix, see
  trusteddomainproject/OpenDMARC#48 (comment)

PR:		240505
Reported by:	protonmail
Approved by:	ports-secteam (delphij)
Obtained from:	trusteddomainproject/OpenDMARC#48
MFH:		2019Q3
Security:	https://protonmail.com/blog/bellingcat-cyberattack-phishing/
Jehops pushed a commit to Jehops/freebsd-ports that referenced this pull request Sep 16, 2019
mail/opendmarc: fix multiple addresses in From vulnerability
- please note that it might only be a partial fix, see
  trusteddomainproject/OpenDMARC#48 (comment)

PR:		240505
Reported by:	protonmail
Approved by:	ports-secteam (delphij)
Obtained from:	trusteddomainproject/OpenDMARC#48
MFH:		2019Q3
Security:	https://protonmail.com/blog/bellingcat-cyberattack-phishing/


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@512093 35697150-7ecd-e111-bb59-0022644237b5
mat813 pushed a commit to mat813/freebsd-ports that referenced this pull request Sep 16, 2019
MFH: r512093
mail/opendmarc: fix multiple addresses in From vulnerability

- please note that it might only be a partial fix, see
  trusteddomainproject/OpenDMARC#48 (comment)

PR:		240505
Reported by:	protonmail
Approved by:	ports-secteam (delphij)
Obtained from:	trusteddomainproject/OpenDMARC#48
Security:	https://protonmail.com/blog/bellingcat-cyberattack-phishing/


git-svn-id: https://svn.freebsd.org/ports/branches/2019Q3@512094 35697150-7ecd-e111-bb59-0022644237b5
mat813 pushed a commit to mat813/freebsd-ports that referenced this pull request Sep 16, 2019
mail/opendmarc: fix multiple addresses in From vulnerability
- please note that it might only be a partial fix, see
  trusteddomainproject/OpenDMARC#48 (comment)

PR:		240505
Reported by:	protonmail
Approved by:	ports-secteam (delphij)
Obtained from:	trusteddomainproject/OpenDMARC#48
MFH:		2019Q3
Security:	https://protonmail.com/blog/bellingcat-cyberattack-phishing/


git-svn-id: https://svn.freebsd.org/ports/head@512093 35697150-7ecd-e111-bb59-0022644237b5
@kitterma

This comment has been minimized.

Copy link

commented Sep 16, 2019

I would recommend distros and others apply this (I'm about to do it in Debian).

I tested this by creating a DKIM signed multi-from message. The message was
signed by the second body From. An unpatched opendmarc will produce a DMARC
pass result (due to DKIM passed and aligned with a body From value), but will
show the unsigned domain from the other body From as the passed domain.

After patching, the result is DMARC fail for the first domain listed (same one
that showed pass before). This is not the full RFC7489 processing, but it is
enough to avoid the related security issue.

I did a code inspection and there is existing code to error out when more than one
body From is detected. I think this patch is sufficient for that to get triggered.

@carnil

This comment has been minimized.

Copy link

commented Sep 17, 2019

CVE-2019-16378 was assigned for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.