Samba - Security Announcement Archive

CVE-2025-10230.html:

=================================================================
== Subject:     Command injection via WINS server hook script
==
== CVE ID#:     CVE-2025-10230
==
== Versions:    All versions since 4.0
==
== Summary:     If the 'wins hook' parameter is set on a domain
==              controller with the WINS server enabled,
==              unauthenticated remote code execution is possible.
=================================================================

===========
Description
===========

If a Samba server has WINS support enabled (it is off by default), and
it has a 'wins hook' parameter specified, the program specified by
that parameter will be run whenever a WINS name is changed.

The WINS server used by the Samba Active Directory Domain Controller
did not validate the names passed to the wins hook program, and it
passed them by inserting them into a string run by a shell.

WINS is an obsolete and trusting protocol, and clients can request any
name that fits within the 15 character NetBIOS limit. This includes
some shell metacharacters, making it possible to run arbitrary
commands on the host.

The WINS server used by Samba when it is not a domain controller is
unaffected.

==================
Patch Availability
==================

Patches addressing this issue have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.23.2, 4.22.5, and 4.21.9 have been issued as
security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon as
possible.

==================
CVSSv3 calculation
==================

CVSS:3.1: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H  (10.0)

==========
Workaround
==========

Avoid setting the 'wins hook' parameter in the smb.conf of a Samba AD
Domain Controller.

The 'wins hook' parameter is only effective when 'wins support' is
enabled. In other words, this combination is safe, regardless of 'wins
hook':

        server role = domain controller
        wins support = no

The default value for 'wins support' is 'no', so it is safe (though
pointless) for 'wins hook' occurs if 'wins support' does not.

It does NOT help to have 'wins hook' set to a non-existent or
non-executable path, but an explicitly empty value

        wins hook =

is OK.

When 'server role' is not 'domain controller' (or its synonyms 'active
directory domain controller', 'dc'), the server is not affected.
Specifically, 'member' or 'standalone' servers use a different WINS
server that is not vulnerable.

The 'wins hook' parameter is unlikely to be useful on a domain
controller, and administrators who use it might want to reconsider
that choice even on a patched server. It may not be supported in
future Samba releases.

=======
Credits
=======

Reported by Igor Morgenstern of Aisle Research.

Patches provided by Douglas Bagnall of the Samba team and Catalyst IT.

This advisory written by Douglas Bagnall.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================