CVE-2020-28007: 
Exim vulnerability analysis and mitigation

CVE-2020-28007 is a local privilege escalation vulnerability in Exim mail server that affects all versions since at least 2004. The vulnerability exists because Exim operates as root in its log directory, which belongs to the 'exim' user. When exploited, it allows an attacker who has obtained 'exim' user privileges to escalate to full root privileges through a symlink or hardlink attack in Exim's log directory (Qualys Advisory, The Record).

The vulnerability stems from Exim's log file handling mechanism where it opens log files in append mode as root. The log file path is derived from logfilepath, a format string defined at compile time. On Debian systems, logfilepath is '/var/log/exim4/%slog', where '%s' is converted to 'main', 'reject', 'panic', or 'debug' at runtime. An attacker with 'exim' user privileges can create a symlink or hardlink in the log directory to redirect writes to arbitrary files on the system (Qualys Advisory).

The vulnerability allows an attacker who has obtained 'exim' user privileges to escalate to full root privileges. This can be achieved by creating a symlink in the log directory and appending arbitrary contents to arbitrary files (such as /etc/passwd), effectively gaining complete system control (Qualys Advisory).

The vulnerability was addressed in Exim version 4.94.2. System administrators should update to this version or later to mitigate the risk. The fix prevents the symlink and hardlink attacks in the log directory by implementing proper file handling controls (NVD).

This vulnerability was part of the '21Nails' vulnerability collection discovered by Qualys, which impacted approximately 60% of the internet's email servers. The disclosure generated significant attention in the security community due to Exim's widespread deployment and the severity of the vulnerabilities (The Record).