A critical vulnerability has been identified in the R programming language, used by organizations in various sectors for statistical and graphical applications. The flaw, named CVE-2024-27322, could allow attackers to execute arbitrary code in target environments via specially crafted files, exposing these organizations to significant software supply chain risk.
DESCRIPTION OF THE PROBLEM
The problem lies in R’s deserialization process, which converts objects encoded in formats such as JSON, XML, and binary back to their original form to be used in applications or programs. HiddenLayer researchers discovered a vulnerability in this process, which could be exploited by attackers using specially crafted R Data Serialization (RDS) files.
GRAVITY AND SOLUTION
The vulnerability has a CVSS score of 8.8 out of 10, indicating a very high level of risk. This vulnerability was reported to the R maintainers, who fixed it in version 4.4.0. However, the threat remains significant for organizations that have not updated their software.
HOW THE ATTACK WORKS
The researchers found that attackers can create RDS files with promise objects containing arbitrary code. These files, when loaded into an R environment, can execute code without the user’s knowledge. Given R’s popularity in sectors such as financial services, healthcare, and government, the potential for a massive attack is considerable.
CONSEQUENCES AND RECOMMENDATIONS
The risk of this vulnerability is particularly high due to the breadth of the R ecosystem. With more than 20,000 packages available on the Comprehensive R Archive Network (CRAN) and more than 15,800 registered members on R-Forge, a successful attack could affect thousands of users.
To mitigate risk, it is recommended that organizations upgrade to the latest version of R and limit package use to trusted sources. It is also important to raise user awareness about this vulnerability and encourage good security practices to avoid loading untrusted files or packages.
CONCLUSION
The CVE-2024-27322 vulnerability in R highlights the importance of keeping software up-to-date and being cautious with files and packages from unknown sources. Organizations that rely on R for statistical analysis and other applications should take immediate steps to protect against potential attacks throughout the software supply chain.
