April 30, 2024 at 10:16AM
AI security firm HiddenLayer warns that a vulnerability in the R programming language implementation (CVE-2024-27322, CVSS score 8.8) can be exploited by loading a malicious RDS file, allowing arbitrary code execution. This poses a risk of supply chain attacks, particularly within the R community. Patches for this vulnerability have been included in R Core version 4.4.0.
Key takeaways from the meeting notes:
1. A vulnerability (CVE-2024-27322) was identified in the R programming language implementation, allowing for the execution of arbitrary code when a malicious RDS file is loaded and referenced. This vulnerability could be exploited in supply chain attacks targeting R users.
2. The vulnerability was traced to R’s serialization and deserialization process, utilized for creating and loading RDS files. When a package is loaded, the metadata stored in the RDS format within the .rdx file helps locate the objects within the .rdb file. These objects are then decompressed and deserialized, effectively loading them as RDS files.
3. The exploitation involves creating a promise object with an instruction that sets the variable to an unbound value and an expression containing arbitrary code. Lazy evaluation allows the expression to be evaluated and run only when the symbol associated with the RDF file is accessed.
4. Threat actors could abuse this vulnerability in supply chain attacks targeting R users, particularly through untrusted, user-provided data and potentially vulnerable code in projects from major software vendors available on GitHub repositories.
5. The patches for CVE-2024-27322 were included in R Core version 4.4.0, released as source code on April 24, followed by Windows and Mac binaries shortly. The updated version will also be included in various Linux distributions.
These takeaways provide an overview of the vulnerability, its potential impact, and the availability of patches to address the issue.