CVE-2020-28026

Name of the Vulnerable Software and Affected Versions Exim versions prior to 4.94.2

Description The issue is related to improper neutralization of line delimiters in non-default configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline into a spool header file, allowing unauthenticated remote attackers to execute arbitrary commands as root. The vulnerability is associated with insufficient input validation in the spool read header() function of the Exim message transfer agent.

Recommendations For versions prior to 4.94.2, update to version 4.94.2 or later to resolve the issue. As a temporary workaround, consider disabling the Delivery Status Notification (DSN) feature to minimize the risk of exploitation. Restrict access to the spool read header() function to prevent unauthenticated remote attackers from executing arbitrary commands. Avoid using the ORCPT= parameter in configurations where it may introduce a newline into a spool header file.