CVE-2020-28017 – CVE-2020-28017 is an integer overflow vulnerabi... (How to Fix)

Q: What is the severity of CVE-2020-28017?

CVE-2020-28017 has a CVSS score of 9.8 (CRITICAL). CVE-2020-28017 is an integer overflow vulnerability in Exim mail transfer agent that can lead to buffer overflow when processing emails with an excessive number of recipients. This affects Exim servers running versions before 4.94.2. Attackers could potentially execute arbitrary code or cause denial of service.

📋 TL;DR

CVE-2020-28017 is an integer overflow vulnerability in Exim mail transfer agent that can lead to buffer overflow when processing emails with an excessive number of recipients. This affects Exim servers running versions before 4.94.2. Attackers could potentially execute arbitrary code or cause denial of service.

💻 Affected Systems

Products:

Exim

Versions: All versions before 4.94.2

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: All Exim installations with default configurations are vulnerable if running affected versions.

📦 What is this software?

Exim by Exim

View all CVEs affecting Exim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Denial of service through resource exhaustion or server crash, as remote exploitation requires sending 50 million recipients which consumes significant resources.

🟢

If Mitigated

Limited impact with proper resource limits and monitoring in place, potentially only causing temporary service disruption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending email with 50 million recipients, which consumes significant bandwidth and resources, making practical exploitation challenging but possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.94.2

Vendor Advisory: https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE-2020-28017-RCPTL.txt

Restart Required: Yes

Instructions:

1. Download Exim 4.94.2 or later from exim.org. 2. Stop Exim service. 3. Backup configuration files. 4. Install new version. 5. Restart Exim service.

🔧 Temporary Workarounds

Limit maximum recipients

linux

Configure Exim to limit the maximum number of recipients per message

Add 'smtp_accept_max_per_connection = 100' to Exim configuration

Resource limits

linux

Implement system resource limits to prevent resource exhaustion

ulimit -v 1000000
Configure systemd/cgroup limits for Exim process

🧯 If You Can't Patch

Implement strict network filtering to limit incoming email connections
Deploy intrusion detection/prevention systems to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Exim version with 'exim --version' and verify it's below 4.94.2

Check Version:

exim --version | head -1

Verify Fix Applied:

Verify version is 4.94.2 or higher with 'exim --version'

📡 Detection & Monitoring

Log Indicators:

Unusually large number of recipients in single email
Exim crash logs
Resource exhaustion warnings

Network Indicators:

Large SMTP connections with excessive RCPT TO commands
Unusual traffic patterns to Exim port 25

SIEM Query:

source="exim.log" AND "RCPT TO" | stats count by src_ip | where count > 100000

📊 Metadata

CVE ID: CVE-2020-28017

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: May 6, 2021

Last Updated: November 21, 2024

🔗 References

https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE-2020-28017-RCPTL.txt Vendor Advisory
https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE-2020-28017-RCPTL.txt Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28017, you might also want to check these: