A new vulnerability has been discovered in the R programming language that allows arbitrary code execution upon deserializing specially crafted RDS and RDX files.
R is an open-source programming language that is particularly popular among statisticians and data miners who develop and use custom data analysis models, and it is also seeing increased adoption by the emerging AI/ML field.
Researchers at HiddenLayer recently discovered a vulnerability in R, tracked as CVE-2024-27322 (CVSS v3: 8.8), that enables attackers to run arbitrary code on target machines when the victim opens R Data Serialization (RDS) or R package files (RDX).
The vulnerability exploits the way R handles serialization ('saveRDS') and deserialization ('readRDS'), particularly through promise objects and "lazy evaluation."
Attackers can embed promise objects with arbitrary code in the RDS file metadata in the form of expressions, which are evaluated during deserialization, resulting in the code's execution.
The victim must be convinced or tricked into executing those files, so the attack involves a social engineering component.
However, attackers can opt for a more passive approach, distributing the packages on widely used repositories and waiting for victims to download them.
Impact and mitigation
HiddenLayer explains that CVE-2024-27322 has far-reaching implications due to its extensive use in critical sectors and the large number of packages deployed in data analysis environments without sufficient checks.
CERT/CC has issued an alert to warn projects and organizations that use R and the readRDS function on unverified packages of the need to update to R Core version 4.4.0, which addresses CVE-2024-27322.
Released on April 24, 2024, R Core v4.4.0 introduces restrictions on using promises in the serialization stream, preventing arbitrary code execution.
Organizations that cannot upgrade immediately or want to implement additional security layers should run RDS/RDX files in isolated environments such as sandboxes and containers to prevent code execution on the underlying system.
Comments
h_b_s - 4 weeks ago
Great, more vulnerability disclosure by hyperbolic press releases. Far as I can tell the vulnerability is in the implementation of GNU R, not in the *language* "R" itself, contrary to all the reporting. Sure, everyone needs to update if they use the GNU R tools. Stop conflating the language which may or may not have more than one implementation with its various implementation(s). They aren't the same thing. The language R has several including proprietary implementations which may or may not be based on GNU's tools.
That's kinda like blaming the entire language of Python for an implementation bug in python.org's interpreter. There's about 5 other implementations of python interpreters and JITs on my mind without even resorting to a search engine. Any of which may or may not carry the same bug, but that bug still wouldn't be in the language itself.