Researchers caught a serious security vulnerability in the R programming language that could allow arbitrary code execution. Given the extensive application of this language, particularly for AI/ML projects, the vulnerability could have a huge impact following malicious exploitation. Users urged to update their systems with the latest R Core release to receive the patch.
R Language Vulnerability Could Have Widespread Consequences
According to a recent report from HiddenLayer, their researchers found a serious code execution vulnerability in the R programming language.
As explained, the vulnerability existed due to the deserialization of untrusted data, and involves use of promise objects and lazy evaluation in R. A threat actor could exploit the flaw by tricking the victim user into opening a maliciously crafted RDS (R Data Serialization) formatted file or R package. Once done, the malicious file would execute arbitrary malicious R codes on the target machine.
While this sounds trivial, exploiting the flaw requires the victim user’s input. Thus, exploiting the flaw would require manipulating the victim via social engineering. Nonetheless, potential attackers could also consider deploying the maliciously crafted R packages on public repositories to target unsuspecting users.
The vulnerability has received the CVE ID CVE-2024-27322, with a high severity rating and a CVSS score of 8.8. HiddenLayer researchers have presented the detailed technical analysis about the flaw in their post, alongside sharing the following video which demonstrates the exploit.
Patch Deployed
Following the vulnerability report, the R Core developers patched the flaw with the latest release. Besides, CERT/CC has also issued an alert for R users, warning them of the flaw. Hence, users are advised to update to the R Core v4.4.0, for which the developers assure to have adequately addressed the flaw. According to their statement to The Register, the patched R Core version removes any attack vector for the vulnerability, ruling out the possibility of any widespread implications.
Let us know your thoughts in the comments.