CVE-2019-16378
📋 TL;DR
OpenDMARC versions through 1.3.2 and 1.4.x through 1.4.0-Beta1 contain a signature bypass vulnerability when emails contain multiple From: addresses. This allows attackers to spoof email domains that should be protected by DMARC authentication, potentially enabling phishing and business email compromise attacks. Organizations using OpenDMARC for email authentication are affected.
💻 Affected Systems
- OpenDMARC
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Opendmarc by Trusteddomain
Opendmarc by Trusteddomain
Opendmarc by Trusteddomain
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Attackers successfully spoof legitimate domains in phishing campaigns, leading to credential theft, financial fraud, or malware distribution that appears to come from trusted sources.
Likely Case
Targeted phishing attacks against specific organizations by spoofing partner or vendor domains that use DMARC, potentially bypassing email security filters.
If Mitigated
With proper email filtering layers and user awareness training, the impact is reduced to occasional spam that might bypass some authentication checks.
🎯 Exploit Status
The vulnerability is in the parsing logic and can be exploited by crafting emails with multiple From: headers. Public proof-of-concept exists in the security advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenDMARC 1.3.3 and later, 1.4.0-Beta2 and later
Vendor Advisory: http://www.openwall.com/lists/oss-security/2019/09/17/2
Restart Required: Yes
Instructions:
1. Check current OpenDMARC version. 2. Update to OpenDMARC 1.3.3 or later, or 1.4.0-Beta2 or later. 3. Restart OpenDMARC service. 4. Verify the fix is applied.
🔧 Temporary Workarounds
Email Filtering Workaround
allConfigure email gateways to reject or quarantine emails with multiple From: addresses before they reach OpenDMARC.
Depends on specific email gateway configuration
🧯 If You Can't Patch
- Implement additional email authentication layers like SPF and DKIM checking
- Deploy advanced email security solutions that detect spoofing independently of DMARC
🔍 How to Verify
Check if Vulnerable:
Check OpenDMARC version: opendmarc -v or check package manager. If version is 1.3.2 or earlier, or 1.4.0-Beta1 or earlier, it's vulnerable.Check Version:
opendmarc -vVerify Fix Applied:
After updating, verify version is 1.3.3 or later, or 1.4.0-Beta2 or later. Test with crafted email containing multiple From: addresses.📡 Detection & Monitoring
Log Indicators:
- OpenDMARC logs showing authentication failures for emails that should pass
- Multiple From: headers in email logs
Network Indicators:
- Emails with multiple From: headers bypassing DMARC checks
SIEM Query:
source="opendmarc" AND ("multiple from" OR "auth=fail" AND "spoof")🔗 References
- http://www.openwall.com/lists/oss-security/2019/09/17/2
- https://bugs.debian.org/940081
- https://github.com/trusteddomainproject/OpenDMARC/pull/48
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HEWDFGRKQHIWKFZH5BNWQDGUPNR7VH3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUBIHJLMPMB6KHOSGDMUQKSAW4HOCYM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y7RT6ID7MBCEPNZEIUKK2TZIOCYPJR6E/
- https://seclists.org/bugtraq/2019/Sep/36
- https://usn.ubuntu.com/4567-1/
- https://www.debian.org/security/2019/dsa-4526
- https://www.openwall.com/lists/oss-security/2019/09/11/8
- http://www.openwall.com/lists/oss-security/2019/09/17/2
- https://bugs.debian.org/940081
- https://github.com/trusteddomainproject/OpenDMARC/pull/48
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HEWDFGRKQHIWKFZH5BNWQDGUPNR7VH3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUBIHJLMPMB6KHOSGDMUQKSAW4HOCYM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y7RT6ID7MBCEPNZEIUKK2TZIOCYPJR6E/
- https://seclists.org/bugtraq/2019/Sep/36
- https://usn.ubuntu.com/4567-1/
- https://www.debian.org/security/2019/dsa-4526
- https://www.openwall.com/lists/oss-security/2019/09/11/8
