A safety vulnerability has been found within the R programming language that may very well be exploited by a risk actor to create a malicious RDS (R Information Serialization) file such that it ends in code execution when loaded and referenced.
The flaw, assigned the CVE identifier CVE-2024-27322, “involves the use of promise objects and lazy evaluation in R,” AI utility safety firm HiddenLayer stated in a report shared with The Hacker Information.
RDS, like pickle in Python, is a format used to serialize and save the state of information buildings or objects in R, an open-source programming language utilized in statistical computing, knowledge visualization, and machine studying.
This strategy of serialization – serialize() or saveRDS() – and deserialization – unserialize() and readRDS() – can be leveraged when saving and loading R packages.
The basis trigger behind CVE-2024-27322 lies in the truth that it might result in arbitrary code execution when deserializing untrusted knowledge, thus leaving customers uncovered to produce chain assaults by way of specifically crafted R packages.
An attacker trying to weaponize the flaw might due to this fact benefit from the truth that R packages leverage the RDS format to save lots of and cargo knowledge, inflicting computerized code execution when the package deal is decompressed and deserialized.
“R packages are vulnerable to this exploit and can, therefore, be used as part of a supply chain attack via package repositories,” safety researchers Kasimir Schulz and Kieran Evans stated. “For an attacker to take over an R package, all they need to do is overwrite the rdx file with the maliciously crafted file, and when the package is loaded, it will automatically execute the code.”
The safety defect has been addressed in model 4.4.0 launched on April 24, 2024, following accountable disclosure.
“An attacker can exploit this [flaw] by crafting a file in RDS format that contains a promise instruction setting the value to unbound_value and the expression to contain arbitrary code,” HiddenLayer stated. “Due to lazy evaluation, the expression will only be evaluated and run when the symbol associated with the RDS file is accessed.”
“Therefore if this is simply an RDS file, when a user assigns it a symbol (variable) in order to work with it, the arbitrary code will be executed when the user references that symbol. If the object is compiled within an R package, the package can be added to an R repository such as CRAN, and the expression will be evaluated and the arbitrary code run when a user loads that package.”
