CVE-2020-28015 – CVE-2020-28015 is a vulnerability in Exim mail ... (How to Fix)

Q: What is the severity of CVE-2020-28015?

CVE-2020-28015 has a CVSS score of 7.8 (HIGH). CVE-2020-28015 is a vulnerability in Exim mail transfer agent where local users can inject newline characters into recipient addresses, potentially altering the behavior of root processes. This affects Exim installations where local users can send mail through the system. The vulnerability allows manipulation of mail processing by privileged daemons.

📋 TL;DR

CVE-2020-28015 is a vulnerability in Exim mail transfer agent where local users can inject newline characters into recipient addresses, potentially altering the behavior of root processes. This affects Exim installations where local users can send mail through the system. The vulnerability allows manipulation of mail processing by privileged daemons.

💻 Affected Systems

Products:

Exim

Versions: Exim 4 before version 4.94.2

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems where Exim is configured to accept local mail and runs with root privileges during mail processing.

📦 What is this software?

Exim by Exim

View all CVEs affecting Exim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to root, allowing complete system compromise through manipulation of root-controlled mail processes.

🟠

Likely Case

Local users can manipulate mail routing, cause mail delivery failures, or potentially execute arbitrary commands with elevated privileges.

🟢

If Mitigated

With proper access controls and patching, impact is limited to mail delivery manipulation without privilege escalation.

🌐 Internet-Facing: LOW - This is primarily a local attack vector requiring local user access.

🏢 Internal Only: HIGH - Local users on affected systems can exploit this vulnerability to manipulate root processes.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local user access. Proof of concept details are available in the Qualys advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Exim 4.94.2 and later

Vendor Advisory: https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE-2020-28015-NLEND.txt

Restart Required: Yes

Instructions:

1. Download Exim 4.94.2 or later from exim.org. 2. Compile and install the new version. 3. Restart the Exim service. 4. Verify the version with 'exim -bV'.

🔧 Temporary Workarounds

Restrict local mail submission

linux

Configure Exim to reject mail with newline characters in recipient addresses or restrict local user mail submission.

Edit exim.conf to add ACL rules rejecting addresses with newlines

🧯 If You Can't Patch

Implement strict access controls to limit local user accounts on Exim servers
Monitor Exim logs for unusual mail patterns or newline injection attempts

🔍 How to Verify

Check if Vulnerable:

Check Exim version with 'exim -bV'. If version is below 4.94.2, the system is vulnerable.

Check Version:

exim -bV | grep 'Exim version'

Verify Fix Applied:

After patching, verify version is 4.94.2 or higher with 'exim -bV' and test mail submission with controlled newline injection attempts.

📡 Detection & Monitoring

Log Indicators:

Unusual mail patterns in Exim logs
Failed mail deliveries with malformed addresses
Log entries showing newline characters in recipient fields

Network Indicators:

Local mail submission attempts with encoded newlines

SIEM Query:

source="exim.log" AND (recipient CONTAINS "%0A" OR recipient CONTAINS "%0D")

📊 Metadata

CVE ID: CVE-2020-28015

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published: May 6, 2021

Last Updated: November 21, 2024

🔗 References

https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE-2020-28015-NLEND.txt Vendor Advisory
https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE-2020-28015-NLEND.txt Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON