A brand new vulnerability has been found within the R programming language that enables arbitrary code execution upon deserializing specifically crafted RDS and RDX information.
R is an open-source programming language that’s notably fashionable amongst statisticians and knowledge miners who develop and use customized knowledge evaluation fashions, and it is usually seeing elevated adoption by the rising AI/ML discipline.
Researchers at HiddenLayer lately found a vulnerability in R, tracked as CVE-2024-27322 (CVSS v3: 8.8), that allows attackers to run arbitrary code on course machines when the sufferer opens R Knowledge Serialization (RDS) or R package deal information (RDX).
The vulnerability exploits the way in which R handles serialization (‘saveRDS’) and deserialization (‘readRDS’), notably via promise objects and “lazy evaluation.”
Attackers can embed promise objects with arbitrary code within the RDS file metadata within the type of expressions, that are evaluated throughout deserialization, ensuing within the code’s execution.
The sufferer have to be satisfied or tricked into executing these information, so the assault includes a social engineering part.
Nevertheless, attackers can go for a extra passive strategy, distributing the packages on extensively used repositories and ready for victims to obtain them.
Impression and mitigation
HiddenLayer explains that CVE-2024-27322 has far-reaching implications as a result of its intensive use in crucial sectors and the massive variety of packages deployed in knowledge evaluation environments with out enough checks.
“After searching GitHub, our team discovered that readRDS, one of the many ways this vulnerability can be exploited, is referenced in over 135,000 R source files. Looking through the repositories, we found that a large amount of the usage was on untrusted, user-provided data, which could lead to a full compromise of the system running the program. Some source files containing potentially vulnerable code included projects from R Studio, Facebook, Google, Microsoft, AWS, and other major software vendors.” – HiddenLayer
CERT/CC has issued an alert to warn tasks and organizations that use R and the readRDS operate on unverified packages of the necessity to replace to R Core model 4.4.0, which addresses CVE-2024-27322.
Launched on April 24, 2024, R Core v4.4.0 introduces restrictions on utilizing guarantees within the serialization stream, stopping arbitrary code execution.
Organizations that can’t improve instantly or wish to implement extra safety layers ought to run RDS/RDX information in remoted environments corresponding to sandboxes and containers to forestall code execution on the underlying system.
