Threat update
A critical security flaw known as CVE-2024-27322 with a CVSS score of 8.8, has been discovered within the R programming language. Attackers can craft malicious RDS files or R packages that embed arbitrary R code.
Technical Detail and Additional Info
What is the threat?
CVE-2024-27322 enables arbitrary code execution by deserializing untrusted data, posing a substantial security risk. The vulnerability can be exploited through the use of RDS (R Data Serialization) files or R packages, which are commonly exchanged among developers and data scientists in the deserialization mechanism of the R programming environment. Attackers can exploit this vulnerability by crafting RDS files that embed promise objects with malicious code.
The vulnerability in R involves two core concepts: "lazy evaluation" and "promise objects". "Lazy evaluation" is a programming strategy used in R where an expression or variable is not evaluated until it is explicitly required. This method intends to enhance performance by deferring computations for expressions that ultimately may not have a need. A "promise object" is an integral part of lazy evaluation and represents a value that is postponed until its evaluation is necessary.
Attackers can create a promise object embedded with a malicious payload. This payload is programmed to execute the chosen code when the object is accessed during the deserialization of an RDS file.
Why is it noteworthy?
R is a widely popular open-source language for statistical computing and machine learning. This is prevalent across vital industries including healthcare, finance, and government. The exploitation of this vulnerability could have extensive consequences, impacting critical operations and sensitive data across these sectors.
What is the exposure or risk?
The exploitation risk arises when an attacker constructs an RDS file containing a promise object specifically crafted to include arbitrary executable code. Due to R's lazy evaluation mechanism, execution of this code occurs when a user accesses the malicious file or package. By introducing such a weaponized package into a commonly used R repository, like CRAN, an attacker can target users broadly, waiting for an unwitting individual to download and use the compromised package.
What are the recommendations?
LBT Technology Group recommends the following actions to secure your environment against this attack:
- Update all R installations to version 4.4.0 or later to mitigate this vulnerability.
- Restrict interaction with untrusted RDS files and packages to minimize exposure.
References
For more in-depth information about the recommendations, please visit the following links:
- https://feedly.com/cve/CVE-2024-27322
- https://thehackernews.com/2024/04/new-r-programming-vulnerability-exposes.html
- https://hiddenlayer.com/research/r-bitrary-code-execution/
- https://nvd.nist.gov/vuln/detail/CVE-2024-27322
If you have any questions, please contact LBT's Sales Engineer.