CVE-2020-28008: 
Exim vulnerability analysis and mitigation

Exim 4 before 4.94.2 contains a privilege escalation vulnerability identified as CVE-2020-28008. The vulnerability exists because Exim operates as root in the spool directory (owned by a non-root user), allowing an attacker to write to a /var/spool/exim4/input spool header file, where a crafted recipient address can indirectly lead to command execution (Vendor Advisory, NVD).

The vulnerability stems from Exim's operational model where it runs with root privileges in a spool directory owned by a non-root user. This creates a security issue where an attacker with 'exim' user privileges can manipulate files in the spool directory. The vulnerability has a CVSS v3.1 Base Score of 7.8 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-269 (Improper Privilege Management) (NVD).

The vulnerability allows an attacker who has obtained the privileges of the 'exim' user to escalate to full root privileges. This can be achieved through various attack vectors, including direct writing to spool header files and manipulation of files in the spool directory (Vendor Advisory).

The vulnerability was fixed in Exim version 4.94.2. Organizations should upgrade to this version or later to mitigate the risk. The fix prevents the privilege escalation attack vector in the spool directory (NVD).