New R Vulnerability CVE-2024-27322: Code Execution Risk in Data Files

Researchers from HiddenLayer have discovered a significant vulnerability in the R programming language, tracked as CVE-2024-27322, that exposes users to arbitrary code execution through deserialized data. This security flaw, centered around the R Data Serialization (RDS) process, poses a serious risk to users across various sectors, including healthcare, finance, and government.

Image: HiddenLayer

R’s Prominence Makes This Exploit Far-Reaching

The widespread adoption of R amplifies the threat significantly. Beloved by statisticians, data scientists, and researchers, R has carved a niche in fields handling highly sensitive information – think healthcare data analysis, financial modeling, and even government statistical operations. An R exploit could be the key to breaching these organizations’ defenses, with consequences ranging from confidential data theft to the disruption of crucial services.

The Exploit: How Trust Turns to Trouble

The R Data Serialization (RDS) format allows users to save and load serialized objects using R’s functions. However, HiddenLayer’s findings reveal that this functionality can be exploited by malicious actors to execute arbitrary code. By crafting an RDS file embedded with malicious code, attackers can execute the code when the file is loaded. The CVE-2024-27322 vulnerability arises from the use of “promise objects” and “lazy evaluation,” which delay the execution of functions until their values are needed, creating a perfect way for exploitation.

Exploitation Scenario and Potential Consequences

The process to exploit this vulnerability involves the following steps:

1. An attacker crafts an RDS file or tampers with an R package, embedding arbitrary R code.
2. When the manipulated file or package is loaded into the R environment, the embedded code executes, potentially leading to data theft, system compromise, or further malicious activities.

Given R’s extensive use in data-intensive fields, the exploitation of this vulnerability could lead to significant data breaches, unauthorized data manipulation, and widespread system compromise.

The Hidden Danger in Serialization

Serialization and deserialization processes are common in programming, but they can also introduce severe security risks if not properly managed. In R, the deserialization function eventually leads to the R_Unserialize function, which can parse and execute embedded code without proper validation. This loophole allows attackers to insert malicious code that can be executed within the R environment.

Supply Chain Infections: The Hidden Threat

R’s collaborative, package-sharing ecosystem is both a strength and a potential point of failure. HiddenLayer’s report stresses the danger of attackers quietly compromising ready-made packages on popular repositories. Imagine the widespread damage if a trusted package used by countless researchers was suddenly infused with a backdoor.

The Fix, and the Need for Constant Vigilance

Thankfully, the R project has been highly responsive, patching the vulnerability in version 4.4.0. Immediate updating to this latest version is paramount for anyone using R.