Bug 2223270

Summary: CVE-2022-48521 opendkim: Authentication-Results fields are not removed correctly [epel-all]
Product: [Fedora] Fedora EPEL Reporter: Björn Persson <bjorn>
Component: opendkimAssignee: Matt Domsch <matt>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: epel9CC: anon.amish, matt, mcascell
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://nvd.nist.gov/vuln/detail/CVE-2022-48521
Whiteboard:
Fixed In Version: opendkim-2.11.0-0.36.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-12-06 00:34:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2223351    

Description Björn Persson 2023-07-17 07:52:11 UTC 
Description of problem:
When OpenDKIM removes fake Authentication-Results fields (as required in https://www.rfc-editor.org/rfc/rfc8601#section-5), it doesn't account for the fact that – at least in Postfix – this changes the ordinal numbers of the following header fields, so it passes the wrong number to the MTA for the second and following header fields it removes. If there are more than one fake Authentication-Results fields, then OpenDKIM leaves some of them in place. Thus a fake Authentication-Results field can bypass OpenDKIM, and be relied on by other programs as if it had been added by OpenDKIM. An email message may be accepted when by policy it should be rejected, and/or the recipient can be tricked into believing that the sender is someone they trust.

It seems unlikely that the vulnerability will be fixed upstream. Sysadmins should know that Authentication-Results from OpenDKIM can't be trusted unless some other program removes fake Authentication-Results fields from incoming messages before OpenDKIM processes them.

Version-Release number of selected component:
2.11.0-0.34

How reproducible:
deterministic

Steps to Reproduce:
1. this line in /etc/opendkim.conf:
RemoveARFrom 2.example,3.example,5.example

2. an email with this set of header fields:
Authentication-Results: 1.example; dkim=pass
Authentication-Results: 2.example; dkim=pass
Authentication-Results: 3.example; dkim=pass
Authentication-Results: 4.example; dkim=pass
Authentication-Results: 5.example; dkim=pass
Authentication-Results: 6.example; dkim=pass
Authentication-Results: 7.example; dkim=pass
Authentication-Results: 8.example; dkim=pass

Actual results:
The above gets transformed into this:
Authentication-Results: 1.example; dkim=pass
Authentication-Results: 3.example; dkim=pass
Authentication-Results: 5.example; dkim=pass
Authentication-Results: 6.example; dkim=pass
Authentication-Results: 8.example; dkim=pass

That is, the first matching header field gets removed correctly, but for the second match the one below it gets removed, and for the third match the one two steps below gets removed.

Expected results:
Authentication-Results: 1.example; dkim=pass
Authentication-Results: 4.example; dkim=pass
Authentication-Results: 6.example; dkim=pass
Authentication-Results: 7.example; dkim=pass
Authentication-Results: 8.example; dkim=pass

A note for anyone who wants to develop a patch:
The Libmilter API documentation doesn't specify whether removing a header field renumbers the following header fields, so hypothetically different MTAs could do it differently without violating the API specification. The safe way to handle the ambiguity is to remove header fields in reverse order.
Comment 1 Carl George 🤠 2023-10-31 21:44:00 UTC 
Since NVD rated this as medium (5.3 CVSS), I'm going to drop the severity of this bug down to medium to match.

https://nvd.nist.gov/vuln/detail/CVE-2022-48521
Comment 2 Fedora Update System 2023-11-27 21:11:55 UTC 
FEDORA-EPEL-2023-9a05f8b1eb has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-9a05f8b1eb
Comment 3 Fedora Update System 2023-11-28 01:37:29 UTC 
FEDORA-EPEL-2023-9a05f8b1eb has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-9a05f8b1eb

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2023-12-06 00:34:20 UTC 
FEDORA-EPEL-2023-9a05f8b1eb has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.