The vulnerability affects thousands of organizations that use this language in their software.
A critical vulnerability has been discovered in the R programming language that could expose organizations using this popular open language to attacks across the software supply chain.
The vulnerability, designated CVE-2024-27322, is rated 8.8 out of 10 on the CVSS scale. The problem is related to the process of deserializing data in R, i.e. converting objects encoded in formats such as JSON, XML, and binary back to their original form for use in an application or program.
The R language is widely used for statistical computing and plotting, and is particularly popular among developers in the financial services, healthcare, research, government, and large data set environments such as artificial intelligence and machine learning.
Researchers from HiddenLayer discovered a weakness in the R deserialization process that allows attackers to execute arbitrary code in the victim's environment using a specially created RDS file. Such files are often used to store objects in R for future reference or exchange.
The vulnerability is related to concepts in R such as "lazy evaluation" and "promise objects". Lazy Evaluation is a programming technique in which a program does not evaluate an expression or variable until it is actually required to do so. Promise Objects are closely related to lazy evaluation and represent objects whose evaluation is deferred.
Attackers can exploit these concepts by creating an RDS file containing a specially prepared promise object with embedded arbitrary code that will be executed when the user downloads the infected file or package.
The vulnerability could potentially affect thousands of users as a result of a possible large-scale attack on the supply chain of open source software for R packages, especially given that some hubs, such as R-Forget or Bioconductor, are used regularly by many developers.
After HiddenLayer reported the issue to R developers, it was fixed in R version 4.4.0. Experts recommend that all organizations that use R in software development upgrade to the latest version of the language to reduce any potential risks.
A critical vulnerability has been discovered in the R programming language that could expose organizations using this popular open language to attacks across the software supply chain.
The vulnerability, designated CVE-2024-27322, is rated 8.8 out of 10 on the CVSS scale. The problem is related to the process of deserializing data in R, i.e. converting objects encoded in formats such as JSON, XML, and binary back to their original form for use in an application or program.
The R language is widely used for statistical computing and plotting, and is particularly popular among developers in the financial services, healthcare, research, government, and large data set environments such as artificial intelligence and machine learning.
Researchers from HiddenLayer discovered a weakness in the R deserialization process that allows attackers to execute arbitrary code in the victim's environment using a specially created RDS file. Such files are often used to store objects in R for future reference or exchange.
The vulnerability is related to concepts in R such as "lazy evaluation" and "promise objects". Lazy Evaluation is a programming technique in which a program does not evaluate an expression or variable until it is actually required to do so. Promise Objects are closely related to lazy evaluation and represent objects whose evaluation is deferred.
Attackers can exploit these concepts by creating an RDS file containing a specially prepared promise object with embedded arbitrary code that will be executed when the user downloads the infected file or package.
The vulnerability could potentially affect thousands of users as a result of a possible large-scale attack on the supply chain of open source software for R packages, especially given that some hubs, such as R-Forget or Bioconductor, are used regularly by many developers.
After HiddenLayer reported the issue to R developers, it was fixed in R version 4.4.0. Experts recommend that all organizations that use R in software development upgrade to the latest version of the language to reduce any potential risks.
