Critical error in R language poses risks to the supply chain

Governance and risk management, patch management

Deserialization vulnerability allows remote code execution

Akshaya Asokan (asokan_akshaya) •
May 2, 2024

Critical error in R language poses risks to the supply chain
Researchers discovered a deserialization flaw in the R programming language. (Image: Shutterstock)

A risky flaw in the R Statistics programming language could lead to a supply chain hack, warn security researchers who said they have discovered a deserialization flaw.

Also see: Cyber ​​hygiene and asset management Perception versus reality

The R Foundation, a nonprofit organization that maintains the language popular among data scientists, released a patch for the flaw on April 24, tracked as CVE-2024-27322.

Kasimir Schulz, chief security researcher at HiddenLayer – which published research detailing the vulnerability on Monday – told Information Security Media Group that no attacks were reported and that researchers were able to “catch up before anyone could compromise it.” The Software Engineering Institute has issued a warning about the flaw.

Researchers say the vulnerability lies in how the programming deserializes data – that is, how it figuratively unpacks data that has been compressed – serialized – for transmission over a network or for storage.

Security researchers have long known that hackers sneak malicious code into serialized data with the expectation that the computer performing the deserialization will execute the instructions since they are presumably part of legitimate data. Developers are trying to purge deserialization inputs, but Hidden Layer researchers say they have found a way to force code execution.

The error comes down to the R data serialization process, which creates two files: .rdb data object file and a .rdx metadata file associated with each serialized object in the first file.

The deserialization process within the metadata file calls on the .rdb file for data. “If an attacker wants to take over an R package, all he has to do is .rdx file containing the maliciously crafted file, and when the package is loaded, it will automatically execute the code,” HiddenLayer researchers wrote.

Researchers have identified more than 135,000 R source files that use the readRDS serialization interface, which is vulnerable to deserialization vulnerability. Some of the source files “include projects from R Studio, Facebook, Google, Microsoft, AWS, and other major software vendors,” according to Hidden Layer.