CVE-2020-28022
📋 TL;DR
CVE-2020-28022 is a critical heap-based buffer overflow vulnerability in Exim mail servers that allows remote attackers to execute arbitrary code by sending specially crafted MAIL FROM or RCPT TO commands. This affects Exim installations before version 4.94.2. Attackers can exploit this without authentication to gain full control of vulnerable mail servers.
💻 Affected Systems
- Exim
📦 What is this software?
Exim by Exim
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker gains root privileges on the Exim server, leading to complete system compromise, data exfiltration, and potential lateral movement within the network.
Likely Case
Remote code execution with Exim process privileges (often root), allowing attackers to install malware, create backdoors, or use the server as a pivot point for further attacks.
If Mitigated
If proper network segmentation and least privilege are implemented, impact may be limited to the mail server itself, though data breach and service disruption are still likely.
🎯 Exploit Status
Multiple public exploits exist and have been used in real attacks. The Qualys research team discovered and weaponized this vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.94.2
Vendor Advisory: https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE-2020-28022-EXOPT.txt
Restart Required: Yes
Instructions:
1. Download Exim 4.94.2 or later from exim.org. 2. Stop Exim service: 'systemctl stop exim' or '/etc/init.d/exim stop'. 3. Backup current configuration. 4. Install new version following distribution-specific package management or compile from source. 5. Restart Exim: 'systemctl start exim' or '/etc/init.d/exim start'.
🔧 Temporary Workarounds
SMTP Command Filtering
linuxFilter or block malformed MAIL FROM and RCPT TO commands at network perimeter
iptables -A INPUT -p tcp --dport 25 -m string --string "MAIL FROM" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 25 -m string --string "RCPT TO" --algo bm -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit SMTP access to trusted sources only
- Deploy intrusion prevention systems (IPS) with rules to detect and block exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Run 'exim --version' and check if version is below 4.94.2Check Version:
exim --version | head -1Verify Fix Applied:
Run 'exim --version' and confirm version is 4.94.2 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual MAIL FROM or RCPT TO commands with malformed name=value pairs
- Exim process crashes or abnormal restarts
- Failed authentication attempts followed by buffer overflow patterns
Network Indicators:
- Unusual SMTP traffic patterns, especially to port 25
- Exploit payloads in SMTP command data
SIEM Query:
source="exim.log" AND ("MAIL FROM" OR "RCPT TO") AND ("buffer" OR "overflow" OR "segmentation fault")