Without a patch, the R programming language contains a serious vulnerability. An error in data deserialization allows malicious actors to execute their own programming code in IT environments.
CVE-2024-27322 involves a flaw in the deserialization process. This is required to decode objects and configuration files in JSON, XML, YAML and binary notation, among others. Such files make it easier to share certain configurations with others. However, an R Data Serialization (RDS) file can be made to act malignantly, meaning an attacker need only convince a user that executing it is necessary or beneficial.
R widely used for critical applications
R is widely used for statistical analysis, data visualization and and machine learning. HiddenLayer, which discovered the vulnerability, explains that the language is popular for applications in critical sectors such as healthcare, finance and government agencies. NASA, the World Health Organization and the U.S. military, among others, use it.
Version 4.4.0 of R (“Puppy Cup”) solves the problem in question. Organizations that do not update are vulnerable to exploitation. An actual attack is quite complex to execute, but can have major consequences. HiddenLayer argues that the impact of a compromise can be significant, especially since R is used by organizations operating in critical industries. Thus, patching the potential danger is critical.
Supply chain danger
Vulnerabilities in software are nothing new. However, they are a lot less prominent among programming languages themselves. It is also often unclear whose fault a specific danger is, as was the case with a recent Rust vulnerability in Windows. Although this command injection danger (CVE-2024-24576) can only occur on the Microsoft OS, the flaw appears to be in an implementation made by the Rust team. A patch is now available there as well, so all versions after 1.77.2 are not at risk in this area.
The R vulnerability is somewhat similar to an older vulnerability in the 2015 Python Pickle module. In that case, serialization, i.e., the encoding process, is the culprit. Malicious “pickle streams” can lead to exploitation.
Also read: ‘One in three applications contains serious vulnerability’