好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”之类的开头。首先,我得仔细阅读用户提供的文章内容,理解其中的关键信息。 文章主要讲的是OpenCFD OpenFOAM 2506版本中的一个任意代码执行漏洞。这个漏洞存在于Code Stream指令功能中,攻击者可以通过恶意构造的OpenFOAM模拟文件触发漏洞,导致任意代码执行。CVSSv3评分为7.8,属于中高风险。 接下来,我需要提取关键点:软件名称、漏洞版本、漏洞类型、影响、缓解措施等。然后把这些信息浓缩成一段简短的描述。 需要注意的是,用户要求控制在100字以内,并且直接写描述,不使用特定的开头。因此,我需要确保语言简洁明了,涵盖所有重要信息。 最后,检查一下字数是否符合要求,并确保没有遗漏关键点。这样就能生成一个准确且符合用户要求的总结了。 </think> OpenCFD OpenFOAM 2506版本存在任意代码执行漏洞,攻击者可通过恶意构造的模拟文件触发该漏洞。默认配置允许未经警告的代码注入和执行。建议禁用allowSystemOperations以缓解风险。 2026-2-18 00:0:6 Author: talosintelligence.com(查看原文) 阅读量:1 收藏
SUMMARY
An arbitrary code execution vulnerability exists in the Code Stream directive functionality of OpenCFD OpenFOAM 2506. A specially crafted OpenFOAM simulation file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
OpenCFD OpenFOAM 2506
PRODUCT URLS
OpenFOAM - https://www.openfoam.com/
CVSSv3 SCORE
7.8 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-94 - Improper Control of Generation of Code (‘Code Injection’)
DETAILS
OpenFOAM is a very popular computation fluid dynamics open-source software, used extensively in academia and the industry.
OpenFOAM takes a specific directory structure as input. Some of the most important files in this directory structure are dictionary files that contain various settings like the total simulation time, the output format, the specific solver to use etc.
The specification for the dictionary file allows for a code directive #codeStream that contains C++ code which will be automatically compiled and executed during simulation. This can include any valid C++ code, even calls to standard functions like system() which can grant an attacker easy access to a remote machine, granting arbitrary code execution.
In the OpenFOAM configuration file, there is the option allowSystemOperations which if set to false, disables the automatic code generation and execution. However, this option is set to true by default and no warning is presented to the user that running a simulation effectively allows arbitrary code execution from an untrusted source. If the option is not present in the configuration file, it still defaults to true, compiling and executing arbitrary code.
controlDict and meshDict are some of the most common dictionary files necessary for a simulation, however OpenFOAM allows for other user supplied dictionaries that can inlude C++ code.
Mitigation
In the OpenFOAM configuration file, make sure that the option allowSystemOperations is set to false. Ex:
allowSystemOperations 0
TIMELINE
2025-11-10 - Initial Vendor Contact
2025-11-17 - Vendor Disclosure
2025-11-25 - Bugs Have Been Created in Vendor Bugtracker
2025-12-03 - Vendor Reply
2025-12-08 - Talos Reply
2025-12-11 - Vendor Reply, Fix Suggestions
2025-12-18 - Talos Feedback
2026-02-04 - Status Request to Vendor
2026-02-04 - Vendor Reply
2026-02-11 - Talos Reply, Upcoming Release Date Announced
2026-02-18 - Public Release
Discovered by Dimitrios Tatsis of Cisco Talos.
如有侵权请联系:admin#unsafe.sh