A security vulnerability has been discovered in the R programming language that could be exploited by a threat actor to create a malicious RDS (R Data Serialization) file such that it results in code execution when loaded and referenced.
The flaw, assigned the CVE identifier CVE-2024-27322 (CVSS score: 8.8), “involves the use of promise objects and lazy evaluation in R,” AI application security company HiddenLayer said in a report shared with The Hacker News.
RDS, like pickle in Python, is a format used to serialize and save the state of data structures or objects in R, an open-source programming language used in statistical computing, data visualization, and machine learning.
This process of serialization – serialize() or saveRDS() – and deserialization – unserialize() and readRDS() – is also leveraged when saving and loading R packages.
The root cause behind CVE-2024-27322 lies in the fact that it could lead to arbitrary code execution when deserializing untrusted data, thus leaving users exposed to supply chain attacks through specially crafted R packages.
An attacker looking to weaponize the flaw could therefore take advantage of the fact that R packages leverage the RDS format to save and load data, causing automatic code execution when the package is decompressed and deserialized.
“R packages are vulnerable to this exploit and can, therefore, be used as part of a supply chain attack via package repositories,” security researchers Kasimir Schulz and Kieran Evans said. “For an attacker to take over an R package, all they need to do is overwrite the rdx file with the maliciously crafted file, and when the package is loaded, it will automatically execute the code.”
The security defect has been addressed in version 4.4.0 released on April 24, 2024, following responsible disclosure.
“An attacker can exploit this [flaw] by crafting a file in RDS format that contains a promise instruction setting the value to unbound_value and the expression to contain arbitrary code,” HiddenLayer said. “Due to lazy evaluation, the expression will only be evaluated and run when the symbol associated with the RDS file is accessed.”
“Therefore if this is simply an RDS file, when a user assigns it a symbol (variable) in order to work with it, the arbitrary code will be executed when the user references that symbol. If the object is compiled within an R package, the package can be added to an R repository such as CRAN, and the expression will be evaluated and the arbitrary code run when a user loads that package.”
Update
The CERT Coordination Center (CERT/CC) has released an advisory for CVE-2024-27322, noting that the flaw could be exploited to achieve arbitrary code execution on the victim’s target device via malicious RDS or rdx files.
“An attacker can create malicious .rds and .rdx files and use social engineering to distribute those files to execute arbitrary code on the victim’s device,” CERT/CC said. “Projects that use readRDS on untrusted files are also vulnerable to the attack.”