CVE-2020-12460

Name of the Vulnerable Software and Affected Versions: OpenDMARC versions 1.3.2 and 1.4.x through 1.4.0-Beta1

Description: The issue is related to improper null termination in the opendmarc xml parse function, which can result in a one-byte heap overflow in opendmarc xml when parsing a specially crafted DMARC aggregate report. This can cause remote memory corruption when a '0' byte overwrites the heap metadata of the next chunk and its PREV INUSE flag. The vulnerability may allow a remote attacker to execute arbitrary code in the target system by opening a specially crafted DMARC aggregate report.

Recommendations: For OpenDMARC versions 1.3.2 and 1.4.x through 1.4.0-Beta1, consider disabling the opendmarc xml parse function until a patch is available to prevent remote memory corruption. Restrict access to the opendmarc xml module to minimize the risk of exploitation. Avoid using the opendmarc xml module to parse DMARC aggregate reports until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.