Article Details
Scrape Timestamp (UTC): 2024-04-30 18:50:34.835
Original Article Text
Click to Toggle View
R language flaw allows code execution via RDS/RDX files. A new vulnerability has been discovered in the R programming language that allows arbitrary code execution upon deserializing specially crafted RDS and RDX files. R is an open-source programming language that is particularly popular among statisticians and data miners who develop and use custom data analysis models, and it is also seeing increased adoption by the emerging AI/ML field. Researchers at HiddenLayer recently discovered a vulnerability in R, tracked as CVE-2024-27322 (CVSS v3: 8.8), that enables attackers to run arbitrary code on target machines when the victim opens R Data Serialization (RDS) or R package files (RDX). The vulnerability exploits the way R handles serialization ('saveRDS') and deserialization ('readRDS'), particularly through promise objects and "lazy evaluation." Attackers can embed promise objects with arbitrary code in the RDS file metadata in the form of expressions, which are evaluated during deserialization, resulting in the code's execution. The victim must be convinced or tricked into executing those files, so the attack involves a social engineering component. However, attackers can opt for a more passive approach, distributing the packages on widely used repositories and waiting for victims to download them. Impact and mitigation HiddenLayer explains that CVE-2024-27322 has far-reaching implications due to its extensive use in critical sectors and the large number of packages deployed in data analysis environments without sufficient checks. CERT/CC has issued an alert to warn projects and organizations that use R and the readRDS function on unverified packages of the need to update to R Core version 4.4.0, which addresses CVE-2024-27322. Released on April 24, 2024, R Core v4.4.0 introduces restrictions on using promises in the serialization stream, preventing arbitrary code execution. Organizations that cannot upgrade immediately or want to implement additional security layers should run RDS/RDX files in isolated environments such as sandboxes and containers to prevent code execution on the underlying system.
Daily Brief Summary
A new vulnerability in the R programming language allows arbitrary code execution through the deserialization of specially crafted RDS and RDX files.
Identified as CVE-2024-27322, with a CVSS v3 score of 8.8, this issue primarily affects users of R, popular among statisticians, data analysts, and AI/ML researchers.
Attack vectors include embedding promise objects in file metadata, which execute arbitrary code when deserialized.
Social engineering techniques may be employed to trick users into opening malicious files, or attackers might distribute the corrupted files via popular repositories.
The vulnerability poses significant risks in sectors reliant on data analysis due to the extensive use of R programming.
CERT/CC has issued warnings and advises updating to R Core version 4.4.0, which includes patches that prevent this type of exploit.
Organizations unable to upgrade immediately are recommended to run potentially harmful RDS/RDX files in isolated environments like sandboxes to mitigate risks.