OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication results to provide false information about the domain that originated an e-mail message. This is caused by incorrect parsing and interpretation of SPF/DKIM authentication results, as demonstrated by the example.net(.example.com substring.
Weakness
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Opendmarc | Trusteddomain | 1.0.0 (including) | 1.3.2 (including) |
| Opendmarc | Trusteddomain | 1.4.0 (including) | 1.4.0 (including) |
| Opendmarc | Trusteddomain | 1.4.0-beta0 (including) | 1.4.0-beta0 (including) |
| Opendmarc | Trusteddomain | 1.4.0-beta1 (including) | 1.4.0-beta1 (including) |
| Opendmarc | Ubuntu | bionic | * |
| Opendmarc | Ubuntu | eoan | * |
| Opendmarc | Ubuntu | esm-apps/bionic | * |
| Opendmarc | Ubuntu | esm-apps/focal | * |
| Opendmarc | Ubuntu | esm-apps/xenial | * |
| Opendmarc | Ubuntu | focal | * |
| Opendmarc | Ubuntu | groovy | * |
| Opendmarc | Ubuntu | hirsute | * |
| Opendmarc | Ubuntu | impish | * |
| Opendmarc | Ubuntu | kinetic | * |
| Opendmarc | Ubuntu | trusty | * |
| Opendmarc | Ubuntu | upstream | * |
| Opendmarc | Ubuntu | xenial | * |
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/21.html
- https://cwe.mitre.org/data/definitions/22.html
- https://cwe.mitre.org/data/definitions/459.html
- https://cwe.mitre.org/data/definitions/461.html
- https://cwe.mitre.org/data/definitions/473.html
- https://cwe.mitre.org/data/definitions/476.html
- https://cwe.mitre.org/data/definitions/59.html
- https://cwe.mitre.org/data/definitions/60.html
- https://cwe.mitre.org/data/definitions/667.html
- https://cwe.mitre.org/data/definitions/94.html
References
- https://lists.debian.org/debian-lts-announce/2023/08/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2D4JGHMALEJEWWG56DKR5OZB22TK7W5B/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBOGOQOK3TIWWJV66MW5YWNRJAFFYGR5/
- https://sourceforge.net/p/opendmarc/tickets/237/
- https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf
- https://lists.debian.org/debian-lts-announce/2023/08/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2D4JGHMALEJEWWG56DKR5OZB22TK7W5B/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBOGOQOK3TIWWJV66MW5YWNRJAFFYGR5/
- https://sourceforge.net/p/opendmarc/tickets/237/
- https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf