April 30, 2024 at 02:53PM
A new vulnerability discovered in R programming language (CVE-2024-27322) allows arbitrary code execution through specially crafted RDS and RDX files. This poses a significant threat due to extensive usage in critical sectors. It’s recommended to update to R Core v4.4.0 for mitigation, which restricts promise usage in serialization to prevent code execution and run RDS/RDX files in isolated environments.
Key takeaways from the meeting notes:
– A new vulnerability has been discovered in the R programming language, allowing arbitrary code execution upon deserializing specially crafted RDS and RDX files.
– The vulnerability, tracked as CVE-2024-27322, exploits the way R handles serialization and deserialization through promise objects and “lazy evaluation.”
– Attackers can embed promise objects with arbitrary code in the RDS file metadata in the form of expressions, which are then evaluated during deserialization, resulting in code execution.
– The attack involves a social engineering component, but attackers can also distribute the packages on widely used repositories and wait for victims to download them.
– The vulnerability has far-reaching implications due to its extensive use in critical sectors and the large number of packages deployed in data analysis environments without sufficient checks.
– Alert has been issued to warn projects and organizations that use R and the readRDS function on unverified packages to update to R Core version 4.4.0, which addresses CVE-2024-27322 and introduces restrictions on using promises in the serialization stream to prevent arbitrary code execution.
– Organizations that cannot immediately upgrade or want to implement additional security layers should run RDS/RDX files in isolated environments such as sandboxes and containers to prevent code execution on the underlying system.