Researchers have discovered a serious security vulnerability in the R programming language that could allow arbitrary code to be executed. Given the extensive application of this language, especially for AI/ML projects, the vulnerability could have a huge impact after malicious exploitation. Users were urged to update their systems with the latest R Core release to receive the patch.
Vulnerability in the R language can have widespread consequences
According to a recent report from HiddenLayer, their researchers found a serious vulnerability when executing code in the R programming language.
As explained, the vulnerability existed due to the deserialization of untrusted data, and involves the use of promise objects and lazy evaluation in R. A threat actor could exploit the flaw by tricking the victim user into creating a maliciously crafted RDS (R Data Serialization) formatted file or R package. Once done, the malicious file would execute arbitrary malicious R codes on the target machine.
While this sounds trivial, exploiting the flaw requires input from the victim user. Exploiting the flaw would therefore require social engineering the victim. Nevertheless, potential attackers could also consider deploying the maliciously crafted R packages on public repositories to target unsuspecting users.
The vulnerability has been assigned the CVE ID CVE-2024-27322, with a high severity rating and a CVSS score of 8.8. HiddenLayer researchers presented the detailed technical analysis of the flaw in their post, in addition to sharing the following video demonstrating the exploit.
Patch implemented
Following the vulnerability report, the R Core developers patched the flaw with the latest release. In addition, CERT/CC has also issued a warning for R users, warning them of the error. Therefore, users are advised to update to R Core v4.4.0, which the developers assure has adequately fixed the bug. According to their statement to The registerthe patched R Core version removes any attack vector for the vulnerability, eliminating the possibility of widespread implications.
Let us know your thoughts in the comments.