CVE-2020-28009: 
Exim vulnerability analysis and mitigation

Exim 4 before 4.94.2 contains an Integer Overflow vulnerability that can lead to a Buffer Overflow condition (CVE-2020-28009). The vulnerability exists in the get_stdinput function which allows unbounded reads accompanied by unbounded increases in a certain size variable. This vulnerability was discovered as part of the '21Nails' vulnerability set affecting Exim mail servers, disclosed in May 2021. Notably, exploitation may be impractical due to the execution time needed to overflow, which could take multiple days (Qualys Advisory, NVD).

The vulnerability is classified as an Integer Overflow leading to a Buffer Overflow condition. It has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is also tracked under CWE-190 (Integer Overflow or Wraparound). The issue affects the get_stdinput function, which fails to properly handle size calculations during input processing (NVD).

If successfully exploited, this vulnerability could allow an attacker to potentially execute arbitrary code or cause a denial of service condition. However, the practical impact is mitigated by the extended execution time required for successful exploitation, which could take multiple days to achieve the overflow condition (Qualys Advisory).

The primary mitigation is to upgrade to Exim version 4.94.2 or later. System administrators should apply the available security updates through their distribution's package management system. For Ubuntu users, specific package updates have been released to address this vulnerability along with other related issues (Ubuntu Security).