The Information Highway

The Information Highway

Font size: +
2 minutes reading time (419 words)

R Programming Vulnerability

Threat update

A critical security flaw known as CVE-2024-27322 with a CVSS score of 8.8, has been discovered within the R programming language. Attackers can craft malicious RDS files or R packages that embed arbitrary R code. 

Technical Detail and Additional Info

What is the threat?

CVE-2024-27322 enables arbitrary code execution by deserializing untrusted data, posing a substantial security risk. The vulnerability can be exploited through the use of RDS (R Data Serialization) files or R packages, which are commonly exchanged among developers and data scientists in the deserialization mechanism of the R programming environment. Attackers can exploit this vulnerability by crafting RDS files that embed promise objects with malicious code.

The vulnerability in R involves two core concepts: "lazy evaluation" and "promise objects". "Lazy evaluation" is a programming strategy used in R where an expression or variable is not evaluated until it is explicitly required. This method intends to enhance performance by deferring computations for expressions that ultimately may not have a need. A "promise object" is an integral part of lazy evaluation and represents a value that is postponed until its evaluation is necessary.

Attackers can create a promise object embedded with a malicious payload. This payload is programmed to execute the chosen code when the object is accessed during the deserialization of an RDS file. 

Why is it noteworthy?

R is a widely popular open-source language for statistical computing and machine learning. This is prevalent across vital industries including healthcare, finance, and government. The exploitation of this vulnerability could have extensive consequences, impacting critical operations and sensitive data across these sectors. 

What is the exposure or risk?

The exploitation risk arises when an attacker constructs an RDS file containing a promise object specifically crafted to include arbitrary executable code. Due to R's lazy evaluation mechanism, execution of this code occurs when a user accesses the malicious file or package. By introducing such a weaponized package into a commonly used R repository, like CRAN, an attacker can target users broadly, waiting for an unwitting individual to download and use the compromised package. 

What are the recommendations?

 LBT Technology Group recommends the following actions to secure your environment against this attack:

  • Update all R installations to version 4.4.0 or later to mitigate this vulnerability.
  • Restrict interaction with untrusted RDS files and packages to minimize exposure.

References

City of Wichita shuts down IT network after ransom...
Android bug leaks DNS queries even when VPN kill s...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023