Governance & Risk Management , Patch Management
Critical Flaw in R Language Poses Supply Chain Risk
Deserialization Vulnerability Allows for Remote Code ExecutionA high-risk flaw in R statistics programming language could lead to a supply chain hack, warn security researchers who said they uncovered a deserialization flaw.
See Also: Cyber Hygiene and Asset Management Perception vs. Reality
The R Foundation, a nonprofit that maintains the language, popular among data scientists, released April 24 a patch for the flaw, tracked as CVE-2024-27322.
Kasimir Schulz, principal security researcher at HiddenLayer - which published Monday research detailing the vulnerability, told Information Security Media Group that no attacks have been reported and researchers were able to "catch up before anyone can compromise it." The Software Engineering Institute issued an alert about the flaw.
Researchers said the vulnerability lies in how the programming deserializes data - that is, how it figuratively unwraps data that's compressed - serialized - for sending across a network or for storage.
Security researchers have long known that hackers sneak malicious code into serialized data with the expectation that the computer doing the deserialization will execute the instructions, since they're putatively a part of legitimate data. Developers attempt to sanitize deserialization inputs, but Hidden Layer researchers say they found a way to force code execution.
The flaw comes down to the R data serialization process, which creates two files: an .rdb
file of data objects and an .rdx
file of metadata associated with each serialized object in the first file.
The deserialization process within the metadata file calls on the .rdb
file for data. "For an attacker to take over an R package, all they need to do is overwrite the .rdx
file with the maliciously crafted file, and when the package is loaded, it will automatically execute the code," HiddenLayer researchers wrote.
Researchers identified more than 135,000 R source files that use the readRDS serialization interface, which is vulnerable to the deserialization vulnerability. Some of the source files "included projects from R Studio, Facebook, Google, Microsoft, AWS, and other major software vendors," Hidden Layer said.