A new vulnerability has been discovered in the R programming language that allows arbitrary code execution upon deserializing specially crafted RDS and RDX files.
R is an open-source programming language that is particularly popular among statisticians and data miners who develop and use custom data analysis models, and it is also seeing increased adoption by the emerging AI/ML field.
Researchers at HiddenLayer recently discovered a vulnerability in R, tracked as CVE-2024-27322 (CVSS v3: 8.8), that enables attackers to run arbitrary code on target machines when the victim opens R Data Serialization (RDS) or R package files (RDX).
The vulnerability exploits the way R handles serialization (‘saveRDS’) and deserialization (‘readRDS’), particularly through promise objects and “lazy evaluation.”
Attackers can embed promise objects with arbitrary code in the RDS file metadata in the form of expressions, which are evaluated during deserialization, resulting in the code’s execution.
The victim must be convinced or tricked into executing those files, so the attack involves a social engineering component.
However, attackers can opt for a more passive approach, distributing the packages on widely used repositories and waiting for victims to download them.
Impact and mitigation
HiddenLayer explains that CVE-2024-27322 has far-reaching implications due to its extensive use in critical sectors and the large number of packages deployed in data analysis environments without sufficient checks.
“After searching GitHub, our team discovered that readRDS, one of the many ways this vulnerability can be exploited, is referenced in over 135,000 R source files. Looking through the repositories, we found that a large amount of the usage was on untrusted, user-provided data, which could lead to a full compromise of the system running the program. Some source files containing potentially vulnerable code included projects from R Studio, Facebook, Google, Microsoft, AWS, and other major software vendors.” – HiddenLayer
CERT/CC has issued an alert to warn projects and organizations that use R and the readRDS function on unverified packages of the need to update to R Core version 4.4.0, which addresses CVE-2024-27322.
Released on April 24, 2024, R Core v4.4.0 introduces restrictions on using promises in the serialization stream, preventing arbitrary code execution.
Organizations that cannot upgrade immediately or want to implement additional security layers should run RDS/RDX files in isolated environments such as sandboxes and containers to prevent code execution on the underlying system.