CVE-2020-28025: 
Exim vulnerability analysis and mitigation

CVE-2020-28025 affects Exim 4 before version 4.94.2. The vulnerability is an out-of-bounds read in the pdkimfinishbodyhash function, where the code fails to validate the relationship between sig->bodyhash.len and b->bh.len. This could allow an attacker to craft a DKIM-Signature header that leads to information disclosure from process memory (NVD).

The vulnerability exists in the pdkimfinishbodyhash function of Exim's DKIM processing code. The issue arises from improper validation between sig->bodyhash.len and b->bh.len parameters, which can lead to an out-of-bounds read condition. The vulnerability has a CVSS v3.1 Base Score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

When exploited, this vulnerability could allow an attacker to leak sensitive information from the process memory through a specially crafted DKIM-Signature header. The impact is primarily focused on confidentiality, with no direct impact on integrity or availability (NVD).

The vulnerability was fixed in Exim version 4.94.2. System administrators should upgrade to this version or later to mitigate the risk. For Ubuntu systems, updates are available through the standard system update process for various Ubuntu versions including 21.04, 20.10, 20.04 LTS, and 18.04 ESM (Ubuntu Security Notice).