R Programming Bug Exposes Orgs to Vast Supply Chain Risk

A high-severity vulnerability in an R programming language process could expose organizations using the popular open source language to attacks via the software supply chain.

The vulnerability, assigned CVE-2024-27322, has a CVSS vulnerability-severity score of 8.8 out of 10. It involves R's process for deserializing data, or converting objects encoded in formats such as JSON, XML, and binary, back to their original form for use in an application or program.

R is a relatively widely used language for statistical computing and graphics applications. It is popular among developers in sectors such as financial services, healthcare, research, government and in environments involving large datasets such as AI and machine learning. The Comprehensive R Archive Network (CRAN), which is the most popular R package repository, currently hosts more than 20,000 packages, while R-Forge, a site that provides R package development tools, has more than 15,800 registered members and hosts some 2,146 projects.

Deserialization Issue

Researchers at HiddenLayer found a weakness in R's process that gives attackers a way to execute arbitrary code in a victim environment via a specially crafted R Data Serialization (RDS) file. Programmers commonly use RDS files to store or save objects in R for future use or for sharing with others.

"This vulnerability can be exploited through the loading of RDS files or R packages, which are often shared between developers and data scientists," HiddenLayer researchers Kasimir Schulz and Kieran Evans said in a report this week. "An attacker can create malicious RDS files or R packages containing embedded arbitrary R code that executes on the victim’s target device upon interaction," according to the report.

The maintainers of R have addressed the issue in R version 4.4.0 after HiddenLayer informed them of the issue.

A Lazy Promise Allows Tinkering

The vulnerability in R that HiddenLayer discovered relates to two fundamental concepts in R, called "lazy evaluation" and "promise objects." Lazy evaluation is a programming technique where an R program does not evaluate an expression or variable until actually required to, or when directly accessed. The goal is to improve performance by avoiding computations for expressions that might end up not being needed. A promise object is closely related to lazy evaluation and represents the object that has been delayed for evaluation.

What the researchers at HiddenLayer discovered was a way to create a promise object with a payload that would run code of their choice when the object was accessed during RDS file deserialization.

"R packages leverage the RDS format to save and load data," according to HiddenLayer. Two files that facilitate this process are an .rdb file that contains all the serialized objects to be included in a package, and an .rdx file that contains metadata about each of the objects.

"When a package is loaded, the metadata stored in the RDS format within the .rdx file is used to locate the objects within the .rdb file," according to the analysis. The objects within the .rdb files are then deserialized.

"An attacker can exploit this by creating an RDS file that contains a specially crafted promise object embedded with arbitrary code," Schulz tells Dark Reading. "Due to the way R implements lazy evaluation, the embedded arbitrary code will be executed once a user has loaded the malicious file or package." An attacker can relatively easily add a weaponized package to an R repository such as CRAN and simply wait for an unwary user to load that package.

Potentially Vast Attack Surface: Multiple Infection Sources

There are literally dozens of major hubs, such as R-Forget and Bioconductor, that R developers use to share and download packages. Not only are these hubs providing developers with access to thousands of packages, some, like Bioconductor, with more than 42 million downloads are being used regularly, Schulz says. "Someone just needs to take advantage of the vulnerability and the massive open source space for R packages to affect thousands of downstream users in a potentially massive supply chain attack," he says.

Schulz recommends that organizations move to the latest version of R to mitigate risk: "In addition, organizations should ensure that users of R are made aware of current and potential future vulnerabilities of this nature and make it policy to only use known trusted files and packages."