A critical vulnerability (CVE-2024-27322) in R programming language exposes systems to arbitrary code execution
: OFFICIAL CVE-2024-27322 PATCHING INFORMATION :
A recent discovery has unearthed CVE-2024-27322, a significant vulnerability within the R programming language, widely used by statisticians, data miners, and increasingly in AI/ML applications. This vulnerability, CVE-2024-27322, with a CVSS v3 score of 8.8, presents a high-risk potential, allowing attackers to execute arbitrary code on a target machine.
Please see “What is vulnerability in cyber security?” for more general information.
Mechanism of the CVE-2024-27322 Threat
The flaw centers around the serialization (‘saveRDS’) and deserialization (‘readRDS’) processes in R, specifically through the use of promise objects and the technique of “lazy evaluation.” During these processes, attackers can manipulate R Data Serialization (RDS) or R package files (RDX) by embedding malicious code within the file metadata as expressions. These expressions are subsequently executed during the deserialization process, potentially leading to unauthorized code execution on the victim’s system.
Execution and Exploitation
For the attack to be successful, the victim needs to be coerced into opening the compromised files, incorporating a social engineering element to the threat and a clear call for . Additionally, attackers could distribute these malicious packages via popular repositories, waiting for unsuspecting users to download and execute them, thus increasing the attack’s reach without direct interaction.
Widespread Impact and Potential Risks
The implications of CVE-2024-27322 are extensive, given R’s prevalent use in critical data analysis sectors. An investigation into the usage of the vulnerable ‘readRDS’ function across GitHub revealed its presence in over 135,000 R source files. Many of these files interact with untrusted, user-provided data, posing a severe risk of system compromise. The CVE-2024-27322 vulnerability has been noted in projects associated with major technology firms and software vendors, underscoring the potential breadth of impact.
Mitigation and Response
In response to the discovery, CERT/CC has issued a widespread alert to all projects and organizations utilizing R and the ‘readRDS’ function with unverified packages. The recommended course of action is to update to R Core version 4.4.0, released on April 24, 2024. This new version introduces crucial restrictions that prevent the use of promises in the serialization stream, effectively mitigating the risk of arbitrary code execution.
RDS/RDX files should be executed in controlled environments such as sandboxes or containers for organizations unable to upgrade immediately. This containment strategy helps to minimize the potential damage by preventing malicious code from executing on the underlying system.
An Ongoing Rise in Vulnerabilities
The discovery of CVE-2024-27322 in the R programming language highlights the ongoing vulnerabilities in widely used software and the continuous need for vigilance and prompt action in cybersecurity practices.
In 2024, there has been a notable increase in vulnerabilities in the wild, such as CVE-2024-2389, CVE-2024-22245, CVE-2024-28890, CVE-2024-21412, CVE-2023-48788, and CVE-2024-21413, to name but a few, and according to Google Threat Analysis Group (TAG) a rise in zero-day exploits.
Organizations relying on R for data analysis and development should take immediate steps to assess their exposure to this vulnerability and apply necessary updates or protective measures to safeguard their systems against potential exploitation.