Exploitable R Programming Language Vulnerability (CVE-2024-27322) Enables Arbitrary Code Execution and Supply Chain Attacks.
Vulnerability in R Programming Language
A Critical R Programming Language Vulnerability (CVE-2024-27322) Allows Arbitrary Code Execution via Malicious RDS Files, Posing Supply Chain Threats, reported by AI Security Firm HiddenLayer.
Discovered within R’s serialization and deserialization process for RDS (R Data Serialization) files, this vulnerability, rated with a CVSS score of 8.8, exposes systems to exploitation.
R, an open-source programming language, serves as a robust tool for data visualization, machine learning, and statistical computing, widely adopted across finance, government, healthcare, and AI/ML domains.
R employs its serialization format for saving and loading packages, generating .rdb and .rdx files during compilation, housing serialized objects, metadata, and associated offsets. This serialization process is fundamental to R’s functionality, enabling efficient data storage and retrieval.
However, R’s support for promise objects and lazy evaluation poses a security risk, enabling attackers to embed arbitrary code within RDS files, executed upon accessing associated symbols.
Supply Chain Threats
HiddenLayer warns about potential supply chain attacks due to the widespread use of RDS packages for sharing compiled R code.
Moreover, functions like readRDS are referenced in over 135,000 R source files. This widespread adoption shows the urgency of addressing the CVE-2024-27322 vulnerability to prevent widespread exploitation.
Additionally, HiddenLayer emphasizes the risk of exploitation in supply chain attacks targeting R users, facilitated by untrusted, user-provided data in repositories, including projects from major software vendors.
Conclusion
In conclusion, the discovery of the CVE-2024-27322 vulnerability emphasizes the critical importance of proactive security measures and timely updates within the R programming language’s software ecosystem.
By promptly addressing vulnerabilities and fortifying security protocols, both developers and users can effectively mitigate risks, ensuring the resilience and integrity of their systems against potential threats.
Check out more articles about cyber security.