Home Security New R Programming Vulnerability Exposes Projects to Supply Chain Attacks

New R Programming Vulnerability Exposes Projects to Supply Chain Attacks

by crpt os


Apr 29, 2024NewsroomProgramming / Supply Chain

A security vulnerability has been discovered in the R programming language that could be exploited by a threat actor to create a malicious RDS (R Data Serialization) file such that it results in code execution when loaded and referenced.

The flaw, assigned the CVE identifier CVE-2024-27322, “involves the use of promise objects and lazy evaluation in R,” AI application security company HiddenLayer said in a report shared with The Hacker News.

RDS, like pickle in Python, is a format used to serialize and save the state of data structures or objects in R, an open-source programming language used in statistical computing, data visualization, and machine learning.

Cybersecurity

This process of serialization – serialize() or saveRDS() – and deserialization – unserialize() and readRDS() – is also leveraged when saving and loading R packages.

The root cause behind CVE-2024-27322 lies in the fact that it could lead to arbitrary code execution when deserializing untrusted data, thus leaving users exposed to supply chain attacks through specially crafted R packages.

An attacker looking to weaponize the flaw could therefore take advantage of the fact that R packages leverage the RDS format to save and load data, causing automatic code execution when the package is decompressed and deserialized.

“R packages are vulnerable to this exploit and can, therefore, be used as part of a supply chain attack via package repositories,” security researchers Kasimir Schulz and Kieran Evans said. “For an attacker to take over an R package, all they need to do is overwrite the rdx file with the maliciously crafted file, and when the package is loaded, it will automatically execute the code.”

The security defect has been addressed in version 4.4.0 released on April 24, 2024, following responsible disclosure.

Cybersecurity

“An attacker can exploit this [flaw] by crafting a file in RDS format that contains a promise instruction setting the value to unbound_value and the expression to contain arbitrary code,” HiddenLayer said. “Due to lazy evaluation, the expression will only be evaluated and run when the symbol associated with the RDS file is accessed.”

“Therefore if this is simply an RDS file, when a user assigns it a symbol (variable) in order to work with it, the arbitrary code will be executed when the user references that symbol. If the object is compiled within an R package, the package can be added to an R repository such as CRAN, and the expression will be evaluated and the arbitrary code run when a user loads that package.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex