April 30, 2024 at 09:07PM
The open source R programming language has fixed a critical CVE-2024-27322 vulnerability that could allow arbitrary code execution. The flaw was closed in version 4.4.0 of R Core, and it’s recommended to upgrade. The exploit could compromise the software supply chain and trigger hidden payload even just by opening the R Console. Patch now.
Based on the meeting notes, the key takeaways are:
1. The open source R programming language has patched a serious arbitrary code execution vulnerability tagged as CVE-2024-27322, with a preliminary CVSS severity rating of 8.8 out of 10.
2. This vulnerability can be exploited by loading a maliciously crafted RDS file or integrating a poisoned R package into a code base, potentially leading to the execution of a code payload that could leak the user’s files, delete data, or perform other malicious activities.
3. The vulnerability was fixed in version 4.4.0 of R Core, and it is strongly recommended to upgrade to this version to mitigate the risk.
4. Exploiting the vulnerability is somewhat complicated and involves using promise objects and lazy evaluation in R, as analyzed by Kasimir Schulz and Kieran Evans at AI security shop HiddenLayer.
5. Proof-of-concept code is available to exploit the security oversight, with potential for more malicious activities.
6. There is a concern that the vulnerability could be used to compromise the software supply chain, particularly through malicious R packages uploaded to the Comprehensive R Archive Network (CRAN).
7. Loading a package or even opening the R Console could activate arbitrary code execution, presenting various potential attack vectors.
In conclusion, it is crucial to promptly patch the vulnerability and upgrade to R Core version 4.4.0 to mitigate the risks associated with this security issue. Additionally, the team should be cautious when loading RDS files or installing R packages, and consider taking additional precautions to safeguard against potential attacks from malicious sources.