CVE-2024-27322 RDS Flaw Exposes R Packages to Supply Chain Attacks
A severe security vulnerability in the R programming language has been disclosed, which could be exploited by malicious actors to create a malicious RDS (R Data Serialization) file that results in arbitrary code execution when loaded and referenced.
The flaw, identified as CVE-2024-27322, “involves the use of promise objects and lazy evaluation in R,” according to a report from AI application security company HiddenLayer.
RDS: The R Programming Language’s Pickle Equivalent
RDS, similar to pickle in Python, is a format used to serialize and save the state of data structures or objects in R, an open-source programming language widely used in statistical computing, data visualization, and machine learning.
The serialization process – serialize() or saveRDS() – and deserialization – unserialize() and readRDS() – is also leveraged when saving and loading R packages.
Root Cause: Arbitrary Code Execution on Deserialization
The root cause behind CVE-2024-27322 is that it could lead to arbitrary code execution when deserializing untrusted data, thus leaving users exposed to supply chain attacks through specially crafted R packages.
An attacker seeking to exploit this vulnerability could leverage R packages’ use of the RDS format to save and load data, causing automatic code execution when the package is decompressed and deserialized.
Supply Chain Attack Vector via R Package Repositories
“R packages are vulnerable to this exploit and can, therefore, be used as part of a supply chain attack via package repositories,” security researchers Kasimir Schulz and Kieran Evans warned. “For an attacker to take over an R package, all they need to do is overwrite the RDX file with the maliciously crafted file, and when the package is loaded, it will automatically execute the code.”
Patch Released in R Version 4.4.0
The security defect has been addressed in R version 4.4.0 released on April 24, 2024, following responsible disclosure.
HiddenLayer elaborated, “An attacker can exploit this [flaw] by crafting a file in RDS format that contains a promise instruction setting the value to unbound_value and the expression to contain arbitrary code. Due to lazy evaluation, the expression will only be evaluated and run when the symbol associated with the RDS file is accessed.”
“Therefore if this is simply an RDS file, when a user assigns it a symbol (variable) to work with it, the arbitrary code will be executed when the user references that symbol. If the object is compiled within an R package, the package can be added to an R repository such as CRAN. The expression will be evaluated and the arbitrary code run when a user loads that package.”