Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Vulnerability in R Programming Language Could Fuel Supply Chain Attacks

A vulnerability (CVE-2024-27322) in the R programming language implementation can be exploited to execute arbitrary and be used as part of a supply chain attack.

vulnerability CVE-2024-27322

A vulnerability in the R programming language implementation can be exploited to execute arbitrary code when a malicious RDS file is loaded and referenced, and could be used as part of a supply chain attack, AI security firm HiddenLayer warns.

Tracked as CVE-2024-27322 (CVSS score of 8.8), the issue was identified in R’s serialization and deserialization process, which is used for creating and loading RDS (R Data Serialization) files.

An open source programming language, R supports data visualization, machine learning, and statistical computing, and is widely used for performing statistical analysis in industries such as finance, government, and healthcare, and is also popular within AI and ML applications.

R has its own serialization format that is used when packages are saved and loaded. When a package is compiled, a .rdb file containing objects to be serialized and a .rdx file containing metadata associated with these objects and their offsets are created.

“When a package is loaded, the metadata stored in the RDS format within the .rdx file is used to locate the objects within the .rdb file. These objects are then decompressed and deserialized, essentially loading them as RDS files,” HiddenLayer explains.

Because R supports an instruction for creating a promise object – which has a symbol (variable) and an expression attached to it, with the expression run only after the symbol is accessed – and lazy evaluation, a strategy where symbols are evaluated only when needed.

An attacker can create a promise object with an instruction that sets the variable to an unbound value and an expression containing arbitrary code. Due to lazy evaluation, the expression is evaluated and run only when the symbol associated with the RDF file is accessed, and the code will execute when the user references the symbol.

“Once the malicious file has been created and loaded by R, the exploit will run no matter how the variable is referenced,” HiddenLayer continued.

Advertisement. Scroll to continue reading.

Enabling Software Supply Chain Attacks

The security firm also warns that, because RDS packages allow users to share compiled R code with others, and because there numerous GitHub repositories dedicated to R, threat actors could abuse this vulnerability in supply chain attacks targeting R users.

readRDS, one of R’s functions that can be used to exploit the vulnerability, is referenced in over 135,000 R source files, and CRAN’s repository, which claims to have over 20,000 packages and allows anyone to upload code, does not check new packages against this vulnerability.

“Looking through the repositories, we found that a large amount of the usage was on untrusted, user-provided data, which could lead to a full compromise of the system running the program. Some source files containing potentially vulnerable code included projects from R Studio, Facebook, Google, Microsoft, AWS, and other major software vendors,” HiddenLayer explains.

To take over an R package, an attacker only needs to overwrite the .rdx file with their malicious file, ensuring that the code is automatically executed as soon as the package is loaded. By modifying a may system package, such as a compiler, the malicious code will be executed when R is initialized.

Patches for CVE-2024-27322 were included in R Core version 4.4.0, which was released as source code on April 24, followed by Windows and Mac binaries shortly. The updated version will also be included in various Linux distributions.

Related: GitHub Rolls Out ‘Code Scanning Autofix’ in Public Beta

Related: No Security Scrutiny for Half of Major Code Changes: AppSec Survey

Related: Malicious NuGet Packages Abuse MSBuild Integrations for Code Execution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights