Headline
CVE-2022-48521: ‘KeepAuthResults = no’ (the default setting) may delete the wrong headers · Issue #148 · trusteddomainproject/OpenDKIM
An issue was discovered in OpenDKIM through 2.10.3, and 2.11.x through 2.11.0-Beta2. It fails to keep track of ordinal numbers when removing fake Authentication-Results header fields, which allows a remote attacker to craft an e-mail message with a fake sender address such that programs that rely on Authentication-Results from OpenDKIM will treat the message as having a valid DKIM signature when in fact it has none.
I made the same discovery while trying to figure out how to get RemoveARFrom to work. This defect caused me quite some consternation before I figured out what was going on.
With this line in /etc/opendkim.conf:
RemoveARFrom 2.example,3.example,5.example
this set of header fields:
Authentication-Results: 1.example; dkim=pass
Authentication-Results: 2.example; dkim=pass
Authentication-Results: 3.example; dkim=pass
Authentication-Results: 4.example; dkim=pass
Authentication-Results: 5.example; dkim=pass
Authentication-Results: 6.example; dkim=pass
Authentication-Results: 7.example; dkim=pass
Authentication-Results: 8.example; dkim=pass
gets transformed into this:
Authentication-Results: 1.example; dkim=pass
Authentication-Results: 3.example; dkim=pass
Authentication-Results: 5.example; dkim=pass
Authentication-Results: 6.example; dkim=pass
Authentication-Results: 8.example; dkim=pass
That is, the first matching header field gets removed correctly, but for the second match the one below it gets removed, and for the third match the one two steps below gets removed.
I found this with OpenDKIM 2.11.0-Beta2, Libmilter 8.15.2 and Postfix 3.5.13.
Evidently, when Postfix removes a header field, the ordinal numbers of the following fields change, and Postfix’s and OpenDKIM’s ideas of the fields’ ordinal numbers get out of sync.
When removing elements from a list, it’s generally safer to process the list in reverse so that the elements that get renumbered are those you have already processed.
Suggestions for a solution:
1: Count instances of Authentication-Results in mlfi_header. In mlfi_eom, walk the list of header fields backwards and count down instead of up.
2: When an instance to remove is found, push its index to a stack. When done walking the list of header fields, pop indices from the stack and call dkimf_chgheader. The use of a stack causes the last instance to be removed first.
3: If you are confident that all current and future MTAs count the header fields anew each time, then OpenDKIM can compensate by decreasing c if dkimf_chgheader succeeds.