CVE-2020-28018: 
Exim vulnerability analysis and mitigation

CVE-2020-28018 is a Use-After-Free vulnerability affecting Exim mail server versions 4.90 through 4.94.2, specifically in the smtp_reset functionality when using OpenSSL. The vulnerability was discovered and reported by Qualys Security Advisory team in May 2021 (Qualys Advisory).

The vulnerability occurs in the tls-openssl.c file where a Use-After-Free condition can be triggered in smtp_reset under certain situations when OpenSSL is used. The vulnerability has received a CVSS v3.1 Base Score of 9.8 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature (NVD).

If successfully exploited, this vulnerability allows an unauthenticated remote attacker to achieve Remote Code Execution (RCE) as the 'exim' user. The vulnerability is particularly significant as it can be exploited without authentication and can lead to complete system compromise (Qualys Advisory).

The primary mitigation is to upgrade to Exim version 4.94.2 or later which contains the fix for this vulnerability. For systems that cannot be immediately upgraded, there are no documented workarounds, making the upgrade the only secure solution (Ubuntu Security).

The security community actively discussed the vulnerability, with researchers sharing exploitation techniques and mitigation strategies on the OSS-security mailing list. Multiple security researchers engaged in technical discussions about the exploitation methods, demonstrating significant interest in understanding and addressing the vulnerability (OSS Security).