A safety vulnerability has been found within the R programming language that might be exploited by a menace actor to create a malicious RDS (R Information Serialization) file such that it ends in code execution when loaded and referenced.
The flaw, assigned the CVE identifier CVE-2024-27322 (CVSS rating: 8.8), “entails using promise objects and lazy analysis in R,” AI utility safety firm HiddenLayer stated in a report shared with The Hacker Information.
RDS, like pickle in Python, is a format used to serialize and save the state of knowledge buildings or objects in R, an open-source programming language utilized in statistical computing, knowledge visualization, and machine studying.
This means of serialization – serialize() or saveRDS() – and deserialization – unserialize() and readRDS() – can be leveraged when saving and loading R packages.
The basis trigger behind CVE-2024-27322 lies in the truth that it might result in arbitrary code execution when deserializing untrusted knowledge, thus leaving customers uncovered to produce chain assaults by way of specifically crafted R packages.
An attacker trying to weaponize the flaw might due to this fact benefit from the truth that R packages leverage the RDS format to save lots of and cargo knowledge, inflicting computerized code execution when the bundle is decompressed and deserialized.
“R packages are susceptible to this exploit and may, due to this fact, be used as a part of a provide chain assault through bundle repositories,” safety researchers Kasimir Schulz and Kieran Evans stated. “For an attacker to take over an R bundle, all they should do is overwrite the rdx file with the maliciously crafted file, and when the bundle is loaded, it is going to robotically execute the code.”
The safety defect has been addressed in model 4.4.0 launched on April 24, 2024, following accountable disclosure.
“An attacker can exploit this [flaw] by crafting a file in RDS format that incorporates a promise instruction setting the worth to unbound_value and the expression to include arbitrary code,” HiddenLayer stated. “As a result of lazy analysis, the expression will solely be evaluated and run when the image related to the RDS file is accessed.”
“Due to this fact if that is merely an RDS file, when a consumer assigns it an emblem (variable) as a way to work with it, the arbitrary code will probably be executed when the consumer references that image. If the article is compiled inside an R bundle, the bundle could be added to an R repository resembling CRAN, and the expression will probably be evaluated and the arbitrary code run when a consumer hundreds that bundle.”
Replace
The CERT Coordination Middle (CERT/CC) has launched an advisory for CVE-2024-27322, noting that the flaw might be exploited to attain arbitrary code execution on the sufferer’s goal machine through malicious RDS or rdx recordsdata.
“An attacker can create malicious .rds and .rdx recordsdata and use social engineering to distribute these recordsdata to execute arbitrary code on the sufferer’s machine,” CERT/CC stated. “Tasks that use readRDS on untrusted recordsdata are additionally susceptible to the assault.”
