Newly Discovered R Programming Language Vulnerability Could Lead to Supply Chain Attacks

April 29, 2024

A newly identified security vulnerability in the R programming language could be exploited to execute code when a malicious RDS file is loaded and referenced. The flaw, known as CVE-2024-27322, is linked to the use of promise objects and lazy evaluation in R, according to a report by AI application security firm HiddenLayer.

RDS, similar to Python's pickle, is a format used to save and serialize the state of data structures or objects in R, an open-source language widely used for statistical computing, data visualization, and machine learning. The serialization and deserialization process, using functions like serialize(), saveRDS(), unserialize(), and readRDS(), are also used when saving and loading R packages.

The core issue with CVE-2024-27322 is that it could lead to arbitrary code execution when untrusted data is deserialized, putting users at risk of supply chain attacks through malicious R packages. An attacker could exploit this flaw by leveraging the RDS format used by R packages to save and load data, leading to automatic code execution when the package is decompressed and deserialized.

HiddenLayer warned, "R packages are vulnerable to this exploit and can, therefore, be used as part of a supply chain attack via package repositories. For an attacker to take over an R package, all they need to do is overwrite the rdx file with the maliciously crafted file, and when the package is loaded, it will automatically execute the code."

This security vulnerability has been addressed in the 4.4.0 version of R, released on April 24, 2024, following responsible disclosure. HiddenLayer further explained, "An attacker can exploit this [flaw] by crafting a file in RDS format that contains a promise instruction setting the value to unbound_value and the expression to contain arbitrary code. Due to lazy evaluation, the expression will only be evaluated and run when the symbol associated with the RDS file is accessed."

This means that if a user assigns a symbol (variable) to an RDS file, the arbitrary code will be executed when the user references that symbol. If the object is compiled within an R package, the package can be added to an R repository such as CRAN, and the arbitrary code will run when a user loads that package.

Latest News

• Ukraine Targeted by Exploitation of Seven-Year-Old Microsoft Office Vulnerability
• CISA Adds Cisco and CrushFTP Flaws to Known Exploited Vulnerabilities Catalog
• North Korea's Lazarus Group Deploys New Kaolin RAT via Fake Job Lures
• Critical Vulnerability in Over 1,400 CrushFTP Servers Actively Exploited
• CISA Catalogs Microsoft Windows Print Spooler Flaw Exploited by APT28