Introduction
R is a popular programming language utilised for statistical computing and dynamics and is a preferred choice for statistical methodology concerning a wide range of statistical and graphical techniques. However, on 29th April 2024, AI application security company Hidden Layer identified a zero-day vulnerability in the R programming package. The Hidden Layer researchers Kasimir Schulz and Kieran Evans report identified the vulnerability in loading RDS (R Data Serialization) files or R packages, which is exploited when RDS files are deserialised/decompressed. The vulnerability allows malicious code to be injected and executed when the file is deserliased. The vulnerability has been tracked as CVE-2024-27322 by the National Vulnerability Database (U.S Government), boasting a base score of 8.8, indicating a “High” severity level.
The significance of this vulnerability extends far beyond its immediate impact on R users. It suggests a potential for a sophisticated supply chain attack, indicating that the vulnerability could be exploited through various methods. These methods include:
- Social Engineering & overwriting R packages: The RDX files or R utilise the lazy loading method, a technique where the actual loading of data or code is deferred until needed. Threat actors would focus on attacking R packages and inject code which would execute when the package is utilised. Once the R package is loaded, the arbitrary code will run and infect the system. The malicious entity can always employ social engineering tactics to trick users into downloading and utilising these files or sharing them on social media handles for further reach.
- Targeting Research Groups: R & D groups can be targeted primarily as most organisations at certain levels utilise R for data mapping and plotting graphs and figures, but these same researchers would undoubtedly act as a supply chain, becoming the weakest link in the chain and opening their systems and networks for further exploitation.
Implications for Military & Government
This vulnerability poses a significant threat to the civilian, military, and governmental sectors, which rely heavily on R for data analysis, modelling, and predictive analytics. The potential for attackers to compromise these analytical processes is alarming, as it could lead to erroneous conclusions or predictions that could undermine strategic decision-making. Moreover, R’s integration into operational systems for real-time data analysis or decision-making processes amplifies the severity of this vulnerability. Unauthorized access or control over these operational systems could threaten security and public safety. Furthermore, attackers exploiting this vulnerability could leverage the compromised systems as a launchpad for additional cyber-attacks, further escalating the risk landscape.
The only workaround before the released patch was to run RDS/RDX files in sandboxes and containers to prevent code execution on the underlying system. The isolated sandbox would be able to mitigate the matter, and all systems, as per the alert of CERT Coordination Center (CERT/CC) under DARPA, should update to R Core Version 4.4.0, which address the flaw by restricting promises in the serialisation stream.
Conclusion
In the rapidly evolving cybersecurity landscape, the significance of proactive security measures in software development and deployment cannot be overstated. This underscores the critical need for continuous vigilance, rigorous testing, regular updates, and adherence to secure coding practices to mitigate emerging threats effectively. Regular security audits of R-based applications and the implementation of secure data serialisation practices are paramount in identifying and addressing potential vulnerabilities.
The widespread adoption of R packages and repositories, such as CRAN, introduces potential avenues for supply chain attacks. Consequently, it becomes imperative to scrutinise packages being uploaded to these repositories more closely. However, it’s essential to recognise that vulnerabilities cannot solely be attributed to the core ecosystem of R; instead, they require collective responsibility from all users employing R. Staying informed about the latest packages and actively managing and mitigating the risks associated with vulnerabilities falls on the shoulders of every user leveraging R.
The discovery of a new security vulnerability in the R programming language, CVE-2024-27322, exemplifies the real-world risks posed by supply chain attacks. This vulnerability exploits promise objects and lazy evaluation in R, allowing the creation of malicious RDS (R Data Serialization) files that execute arbitrary code upon loading and referencing. The serialisation and deserialisation processes, crucial for saving and loading R packages, are particularly vulnerable to this exploit, highlighting the urgent need for enhanced security measures.
In conclusion, the cybersecurity challenges faced by the R ecosystem underscore the importance of a multifaceted approach to security. This includes the development of secure coding practices, regular security audits, and the active participation of all R users in staying informed about potential vulnerabilities and taking steps to mitigate risks. As the R programming language continues to gain popularity across various sectors, including finance, healthcare, and research, the responsibility to safeguard against supply chain attacks and other cybersecurity threats becomes increasingly critical.
