A vulnerability [1] [2] [3] [4] [5], identified as CVE-2024-27322 [3], has been found in the R programming language, impacting versions 1.4.0 to 4.4.0 [2].
Description
This high-severity vulnerability enables the deserialization of untrusted data, potentially leading to arbitrary code execution [2]. Attackers can exploit this vulnerability by utilizing specially crafted R Data Serialization (RDS) files and R packages, leveraging lazy evaluation and promise objects in R to execute code of their choice during deserialization [1]. The issue has been resolved in R Core Version 4.4.0, which limits promises in the serialization stream for lazy evaluation [4]. Organizations using R for statistical computing and graphics are particularly vulnerable [1], given the widespread use of R packages and repositories like CRAN and Bioconductor [1], which expand the potential attack surface. It is imperative for organizations to update to the latest R version and utilize trusted files and packages to mitigate this risk [1].
Conclusion
Organizations must take immediate action to update to the latest R version and exercise caution when using R packages and repositories to prevent exploitation of this vulnerability. Failure to do so could result in significant security breaches and data compromises.
References
[1] https://www.darkreading.com/application-security/r-programming-language-exposes-orgs-to-supply-chain-risk
[2] https://www.tenable.com/cve/CVE-2024-27322
[3] https://www.techworm.net/2024/04/vulnerability-r-programming-supply-chain-attacks.html
[4] https://www.kb.cert.org/vuls/id/238194
[5] https://www.prnewswire.com/news-releases/hiddenlayer-uncovers-deserialization-vulnerability-in-open-source-programming-language-r-302129915.html
