Posted in

A flaw in the R programming language poses a major security threat

Without a patch, the R programming language contains a serious vulnerability. A data deserialization flaw allows malicious actors to execute their own programming code in IT environments.

CVE-2024-27322 concerns a flaw in the deserialization process. This is necessary to decode objects and configuration files in JSON, XML, YAML and binary notation, among others. Such files make it easier to share certain configurations with others. However, an R Data Serialization (RDS) file can act maliciously, meaning an attacker only needs to convince a user that running it is necessary or useful.

R widely used for critical applications

R is widely used for statistical analysis, data visualization and machine learning. HiddenLayer, which discovered the vulnerability, explains that the language is popular for applications in critical industries such as healthcare, finance and government agencies. NASA, the World Health Organization and the US military, among others, use it.

Version 4.4.0 of R (“Puppy Cup”) resolves the issue in question. Organizations that do not update are vulnerable to exploitation. An actual attack is quite complex to carry out, but can have major consequences. HiddenLayer argues that the impact of a compromise could be significant, especially as R is used by organizations operating in critical industries. Patching the potential hazard is therefore crucial.

Danger to the supply chain

Vulnerabilities in software are nothing new. However, among the programming languages ​​themselves, they are a lot less prominent. It is also often unclear whose fault a specific threat is, as was the case with a recent Rust vulnerability in Windows. While this command injection threat (CVE-2024-24576) can only occur on the Microsoft OS, the flaw appears to be in an implementation created by the Rust team. A patch is now also available there, so all versions after 1.77.2 are not at risk in this area.

The R vulnerability is somewhat similar to an older vulnerability in the Python Pickle module from 2015. In that case, serialization, that is, the encryption process, is the culprit. Malicious pickle streams can lead to exploitation.

Also read: ‘One in three applications contains serious vulnerabilities’