{}

{}

{}

{"bugzilla": {"description": "samba: Command Injection in WINS Server Hook Script", "id": "2394377", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394377"}, "csaw": false, "cvss3": {"cvss3_base_score": "10.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "details": ["A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller\u2019s wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process."], "mitigation": {"lang": "en:us", "value": "The mitigation is to disable the vulnerable configuration by removing or leaving the wins hook parameter empty in smb.conf and ensuring that wins support is set to no on all Domain Controllers. Since the issue only affects Samba when both WINS support and the hook are enabled, disabling these options prevents exploitation. Administrators should also restrict external access to UDP port 137 to trusted networks."}, "name": "CVE-2025-10230", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "samba4", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-10-15T12:45:58Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-10230\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-10230\nhttps://www.samba.org/samba/history/security.html"], "statement": "On Red Hat Enterprise Linux (RHEL) versions 6, 7, 8, 9 and 10, the Samba packages as shipped are not affected by this vulnerability. This is because Red Hat does not provide Active Directory Domain Controller (AD DC) functionality in its Samba packages, and the vulnerable wins hook execution path exists only when Samba is configured as a domain controller with WINS support enabled. As a result, the default Samba deployments on RHEL cannot be exploited via this issue.\nThis vulnerability is considered Critical rather than Important because it enables unauthenticated remote code execution (RCE) on a Samba Active Directory Domain Controller through a trivially reachable network service. The flaw lies in the wins hook mechanism, where unvalidated NetBIOS names from incoming WINS registration packets are directly concatenated into a shell command and executed with sh -c. This means an attacker can inject arbitrary shell metacharacters and run commands with the privileges of the Samba process\u2014often root on a DC. Unlike moderate flaws that may require authentication, complex preconditions, or result only in limited information exposure or denial of service, this issue provides a direct path to full system compromise over the network with minimal effort. The combination of remote reachability, lack of authentication, low complexity, and full confidentiality, integrity, and availability impact justifies its classification as a Critical vulnerability.", "threat_severity": "Critical"}

{}