CVE-2019-20790 log

Source
Severity Low
Remote Yes
Type Authentication bypass
Description
OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.

NOTE: the validity of this issue is disputed. According to the OpenDMARC developers: "It is the job of OpenDMARC to trust information provided to it by upstream filters. OpenDMARC itself can be configured  to validate SPF, but there are use cases where OpenDMARC may be running  further inside a network and not have access to the connection strings as  logged. No standard exists for relaying the IP address of the client to inward systems when relaying occurs. It is the view of the OpenDMARC developers that this is working as designed, but if this behavior is undesirable, then any filter that adds a Received-SPF header field should not set a spf=pass result based solely on the HELO/EHLO string. It is not the job of OpenDMARC to second-guess other filters in the chain, but simply to compare their stated values and make a weight-based judgement."
Group Package Affected Fixed Severity Status Ticket
AVG-1375 opendmarc 1.4.0-2 Medium Vulnerable
References
https://github.com/trusteddomainproject/OpenDMARC/blob/develop/SECURITY/CVE-2019-20970
https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816
https://sourceforge.net/p/opendmarc/tickets/235/
https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf
https://github.com/trusteddomainproject/OpenDMARC/issues/49
https://github.com/trusteddomainproject/OpenDMARC/issues/158