CVE-2020-28011 – CVE-2020-28011 is a heap-based buffer overflow ... (How to Fix)

Q: What is the severity of CVE-2020-28011?

CVE-2020-28011 has a CVSS score of 7.8 (HIGH). CVE-2020-28011 is a heap-based buffer overflow vulnerability in Exim mail transfer agent versions before 4.94.2. Attackers can exploit this via the -R and -S sender options during queue processing to potentially escalate privileges from the exim user to root. Organizations running vulnerable Exim versions as mail servers are affected.

📋 TL;DR

CVE-2020-28011 is a heap-based buffer overflow vulnerability in Exim mail transfer agent versions before 4.94.2. Attackers can exploit this via the -R and -S sender options during queue processing to potentially escalate privileges from the exim user to root. Organizations running vulnerable Exim versions as mail servers are affected.

💻 Affected Systems

Products:

Exim

Versions: All versions before 4.94.2

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems where Exim is configured to process mail queues with the vulnerable options. The -R and -S options must be accessible to attackers.

📦 What is this software?

Exim by Exim

View all CVEs affecting Exim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full root compromise of the mail server, allowing complete system takeover, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Privilege escalation from exim user to root, enabling installation of persistent backdoors, credential theft, and further system compromise.

🟢

If Mitigated

Limited impact if proper privilege separation and SELinux/apparmor are configured, potentially containing the exploit to the exim user context.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to queue processing functionality. Public proof-of-concept code exists, making weaponization likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.94.2

Vendor Advisory: https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE-2020-28011-SPRSS.txt

Restart Required: Yes

Instructions:

1. Download Exim 4.94.2 or later from exim.org. 2. Stop Exim service. 3. Backup configuration. 4. Compile and install new version. 5. Restart Exim service.

🔧 Temporary Workarounds

Restrict queue processing access

linux

Limit who can use the -R and -S options through configuration changes

Review and modify exim.conf to restrict queue_run options

Disable vulnerable functionality

linux

Remove or restrict access to the affected queue processing features

Modify ACLs and configuration to block -R/-S usage

🧯 If You Can't Patch

Implement strict access controls on Exim queue processing functionality
Deploy additional security controls like SELinux/apparmor to limit exim user privileges

🔍 How to Verify

Check if Vulnerable:

Check Exim version with 'exim -bV' and compare to 4.94.2

Check Version:

exim -bV | head -1

Verify Fix Applied:

Verify version is 4.94.2 or higher and test queue processing functionality

📡 Detection & Monitoring

Log Indicators:

Unusual queue processing activity
Failed privilege escalation attempts in system logs
Exim process running with unexpected privileges

Network Indicators:

Unusual mail queue manipulation patterns
Suspicious connections to Exim administration interfaces

SIEM Query:

source="exim" AND ("-R" OR "-S") AND queue_run

📊 Metadata

CVE ID: CVE-2020-28011

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: May 6, 2021

Last Updated: November 21, 2024

🔗 References

https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE-2020-28011-SPRSS.txt Vendor Advisory
https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE-2020-28011-SPRSS.txt Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28011, you might also want to check these: