Security researchers at HiddenLayer have discovered a vulnerability in the R programming language that allows for arbitrary code execution by deserializing untrusted data.
This vulnerability can have significant implications for major organizations in the healthcare, finance, and government industries.
For those unaware, R is an open-source programming language and software environment for statistical computing, data visualization, and machine learning.
The vulnerability, assigned the CVE identifier CVE-2024-27322, “involves the use of promise objects and lazy evaluation in R,” HiddenLayer, the leading security provider for artificial intelligence (AI) models and assets, said in a report shared with The Hacker News.
Further, the vulnerability can be exploited through the loading of RDS (R Data Serialization) files or R packages, which are often shared between developers and data scientists.
According to the researchers, an attacker can create malicious RDS files or R packages containing embedded arbitrary R code that executes on the victim’s target device upon interaction. In other words, the vulnerability allows an attacker to craft a malicious RDS (R Data Serialization) file that carries out arbitrary code when loaded and referenced.
Several functions within R can be used to serialize and deserialize data, which differ from each other to some extent but ultimately leverage the same internal code.
For example, the process of serialization – serialize() or saveRDS() – and deserialization – unserialize() and readRDS() – is also leveraged when saving and loading R packages, thereby leaving users exposed to supply chain attacks.
“R packages are vulnerable to this exploit and can, therefore, be used as part of a supply chain attack via package repositories. For an attacker to take over an R package, all they need to do is overwrite the rdx file with the maliciously crafted file, and when the package is loaded, it will automatically execute the code,” the company said.
Given the widespread usage of R, HiddenLayer disclosed the security vulnerability to the team at R, following which the issue was addressed in version 4.4.0 released on April 24, 2024.
“An attacker can exploit this [flaw] by crafting a file in RDS format that contains a promise instruction setting the value to unbound_value and the expression to contain arbitrary code. Due to lazy evaluation, the expression will only be evaluated and run when the symbol associated with the RDS file is accessed,” HiddenLayer added.
“Therefore if this is simply an RDS file, when a user assigns it a symbol (variable) in order to work with it, the arbitrary code will be executed when the user references that symbol. If the object is compiled within an R package, the package can be added to an R repository such as CRAN, and the expression will be evaluated and the arbitrary code run when a user loads that package.”
