CVE-2020-28013
📋 TL;DR
CVE-2020-28013 is a heap-based buffer overflow vulnerability in Exim mail transfer agent versions before 4.94.2. It allows local privilege escalation from any user to root by exploiting improper handling of '-F' command-line arguments with negative size calculations in strncpy. This affects all systems running vulnerable Exim versions.
💻 Affected Systems
- Exim
📦 What is this software?
Exim by Exim
⚠️ Risk & Real-World Impact
Worst Case
Full root compromise of the mail server allowing complete system takeover, data exfiltration, and lateral movement within the network.
Likely Case
Local privilege escalation to root by authenticated users, potentially leading to mail system compromise and further attacks.
If Mitigated
Limited impact if proper access controls, SELinux/apparmor, and network segmentation are implemented.
🎯 Exploit Status
Exploitation requires local access to the system. Proof-of-concept code is publicly available and relatively simple to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.94.2
Vendor Advisory: https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE-2020-28013-PFPSN.txt
Restart Required: Yes
Instructions:
1. Download Exim 4.94.2 or later from exim.org. 2. Stop Exim service: 'systemctl stop exim'. 3. Install the new version following distribution-specific package management or compile from source. 4. Restart Exim: 'systemctl start exim'.
🔧 Temporary Workarounds
Restrict local user access
linuxLimit shell access and command execution capabilities for non-privileged users on Exim servers.
usermod -s /sbin/nologin username
chmod 750 /usr/sbin/exim
Implement mandatory access control
linuxUse SELinux or AppArmor to restrict Exim's capabilities and limit damage from exploitation.
setenforce 1
systemctl enable selinux
🧯 If You Can't Patch
- Implement strict access controls to limit which users can execute Exim commands locally
- Deploy intrusion detection systems to monitor for privilege escalation attempts and unusual Exim process behavior
🔍 How to Verify
Check if Vulnerable:
Check Exim version: 'exim --version' or 'rpm -q exim'/'dpkg -l exim4'. If version is below 4.94.2, system is vulnerable.Check Version:
exim --version | head -1Verify Fix Applied:
Verify Exim version is 4.94.2 or higher: 'exim --version | head -1'. Check that the service is running: 'systemctl status exim'.📡 Detection & Monitoring
Log Indicators:
- Unusual Exim process executions with -F arguments
- Failed privilege escalation attempts in system logs
- Abnormal Exim child process behavior
Network Indicators:
- Unusual local connections to Exim control interfaces
- Anomalous process spawning patterns
SIEM Query:
process_name:"exim" AND cmdline:"-F" AND (user:"root" OR parent_process!:"init")