Analysis Summary

Organizations that use the well-known open-source R programming language may be vulnerable to attacks through the software supply chain due to a high-severity vulnerability in the language's processes.

The CVSS severity score for the vulnerability, tracked as CVE-2024-27322, is 8.8 out of 10. It deals with using R's deserialization process to return objects encoded in binary, XML, and JSON forms to their original form so they can be used in an application or program. R is a language that's utilized in statistical computing and graphical applications quite a bit.

Developers working in fields like finance, healthcare, research, government, and AI and machine learning—which involve massive datasets—are fond of it. More than 20,000 packages are presently hosted by the most popular R package repository, Comprehensive R Archive Network (CRAN), and roughly 2,146 projects are hosted by R-Forge, a website that offers tools for developing R packages and has over 15,800 registered members.

Researchers discovered a flaw in the R process that allows an attacker to use a specifically constructed R Data Serialization (RDS) file to run arbitrary code in a victim environment. RDS files are frequently used by programmers to share or save objects in R for later usage. It is possible to take advantage of this vulnerability by loading RDS files or R packages, which developers and data scientists frequently share. The study states that an attacker can produce malicious RDS files or R packages with embedded arbitrary R code that, upon interaction, runs on the victim's target device. After being alerted of the problem by researchers, the R maintainers fixed it in R version 4.4.0.

The two core ideas of R that are related to the vulnerability that researchers found are "lazy evaluation" and "promise objects." By using the programming technique known as "lazy evaluation," an R program might delay evaluating a variable or expression until it is really needed or is accessed directly. By avoiding computations for phrases that may not ultimately be required, performance is to be improved. Lazy evaluation is closely associated with a promise object, which is an object whose evaluation has been postponed.

The method the cybersecurity experts found lets them establish a promise object with a payload that, when retrieved during RDS file deserialization, would execute any code they chose. R packages leverage the RDS format to save and load data. Two files that facilitate this process are a .rdb file that contains all the serialized objects to be included in a package, and a .rdx file that contains metadata about each of the objects.

The objects in the .rdb file are located when a package is loaded using the RDS format information that is stored in the .rdx file. By constructing an RDS file with a specifically constructed promise object embedded with arbitrary code, an attacker can take advantage of this. Once a user loads the malicious file or package, the embedded arbitrary code will be run because of the way R supports lazy evaluation. A weaponized package can be added to a CRAN or other R repository quite easily by an attacker, who then has to wait for an unsuspecting user to load it.

R developers use hundreds of popular hubs for package sharing and downloads, including Bioconductor and R-Forget. These hubs offer thousands of packages to developers, some of which are regularly utilized (like Bioconductor, which has seen over 42 million downloads). All it would take for thousands of downstream users to be impacted in a potentially enormous supply chain attack is for someone to exploit the vulnerability and the vast amount of open-source software available for R packages.

To reduce risk, it is advised that companies upgrade to the most recent version of R. Furthermore, it is imperative for organizations to apprise R users of the existence of present and possible future vulnerabilities of this kind and to establish a policy of exclusively utilizing verified and approved files and packages.

Impact

• Code Execution
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2024-27322

Affected Vendors

Remediation

• Upgrade to the latest version of R, available from the R Project Website.
• Ensuring that all security fixes are properly documented with CVE identifiers and advisories can facilitate better communication and handling of security updates down the supply chain.
• Implementing systems for continuous monitoring of firmware and software components for vulnerabilities is crucial. This allows for timely detection and remediation of vulnerabilities, even in third-party components.
• Collaboration between device vendors and third-party software maintainers is essential for effectively addressing vulnerabilities.
• Educating end users about the importance of applying security updates and the risks associated with running outdated software can help mitigate the impact of vulnerabilities.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.