CVE-2020-28007
📋 TL;DR
CVE-2020-28007 is a privilege escalation vulnerability in Exim mail servers where an attacker can create symbolic or hard links in the log directory to overwrite critical root-owned files anywhere on the filesystem. This occurs because Exim runs as root while writing to a log directory owned by a non-root user. Systems running vulnerable Exim versions are affected.
💻 Affected Systems
- Exim
📦 What is this software?
Exim by Exim
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary file overwrite, potentially leading to root shell access, system configuration modification, or denial of service.
Likely Case
Local privilege escalation allowing attackers to gain root privileges on the mail server system.
If Mitigated
Limited impact if proper file permissions and directory isolation are enforced, preventing unauthorized access to log directories.
🎯 Exploit Status
Exploitation requires local access to the system. Proof-of-concept details are publicly available in the Qualys advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Exim 4.94.2
Vendor Advisory: https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE-2020-28007-LFDIR.txt
Restart Required: Yes
Instructions:
1. Download Exim 4.94.2 or later from exim.org. 2. Stop Exim service. 3. Install the updated version. 4. Restart Exim service.
🔧 Temporary Workarounds
Secure log directory permissions
linuxChange ownership and permissions of Exim log directory to prevent non-root users from creating links.
chown root:root /var/log/exim
chmod 755 /var/log/exim
Run Exim with reduced privileges
linuxConfigure Exim to run as a non-root user where possible, though this may affect functionality.
Edit exim.conf to set 'exim_user = mail' or similar non-root user
🧯 If You Can't Patch
- Implement strict file permissions on Exim log directories to prevent non-root users from creating links.
- Monitor for suspicious file creation activities in Exim log directories using file integrity monitoring tools.
🔍 How to Verify
Check if Vulnerable:
Check Exim version with 'exim --version' and verify it's below 4.94.2.Check Version:
exim --version | head -1Verify Fix Applied:
Confirm Exim version is 4.94.2 or higher using 'exim --version'.📡 Detection & Monitoring
Log Indicators:
- Unusual file creation in Exim log directories
- Permission denied errors from non-root users attempting to access log files
Network Indicators:
- Local privilege escalation attempts following initial access
SIEM Query:
source="exim" AND (event_type="file_create" OR event_type="permission_denied") AND path="/var/log/exim/*"