A safety vulnerability has been found within the R programming language that may very well be exploited by a menace actor to create a malicious RDS (R Knowledge Serialization) file such that it ends in code execution when loaded and referenced.
The flaw, assigned the CVE identifier CVE-2024-27322, “includes the usage of promise objects and lazy analysis in R,” AI utility safety firm HiddenLayer stated in a report shared with The Hacker Information.
RDS, like pickle in Python, is a format used to serialize and save the state of information constructions or objects in R, an open-source programming language utilized in statistical computing, knowledge visualization, and machine studying.
This technique of serialization – serialize() or saveRDS() – and deserialization – unserialize() and readRDS() – can also be leveraged when saving and loading R packages.
The foundation trigger behind CVE-2024-27322 lies in the truth that it may result in arbitrary code execution when deserializing untrusted knowledge, thus leaving customers uncovered to produce chain assaults via specifically crafted R packages.
An attacker seeking to weaponize the flaw may due to this fact make the most of the truth that R packages leverage the RDS format to avoid wasting and cargo knowledge, inflicting computerized code execution when the package deal is decompressed and deserialized.
“R packages are susceptible to this exploit and may, due to this fact, be used as a part of a provide chain assault through package deal repositories,” safety researchers Kasimir Schulz and Kieran Evans stated. “For an attacker to take over an R package deal, all they should do is overwrite the rdx file with the maliciously crafted file, and when the package deal is loaded, it can routinely execute the code.”
The safety defect has been addressed in model 4.4.0 launched on April 24, 2024, following accountable disclosure.
“An attacker can exploit this [flaw] by crafting a file in RDS format that incorporates a promise instruction setting the worth to unbound_value and the expression to comprise arbitrary code,” HiddenLayer stated. “As a consequence of lazy analysis, the expression will solely be evaluated and run when the image related to the RDS file is accessed.”
“Subsequently if that is merely an RDS file, when a person assigns it a logo (variable) to be able to work with it, the arbitrary code might be executed when the person references that image. If the item is compiled inside an R package deal, the package deal might be added to an R repository comparable to CRAN, and the expression might be evaluated and the arbitrary code run when a person hundreds that package deal.”