Governance & Risk Management , Patch Management

Critical Flaw in R Language Poses Supply Chain Risk

Deserialization Vulnerability Allows for Remote Code Execution
Critical Flaw in R Language Poses Supply Chain Risk
Researchers discovered a deserialization flaw in the R programming language. (Image: Shutterstock)

A high-risk flaw in R statistics programming language could lead to a supply chain hack, warn security researchers who said they uncovered a deserialization flaw.

See Also: Finding and Managing the Risk in your IT Estate: A Comprehensive Overview

The R Foundation, a nonprofit that maintains the language, popular among data scientists, released April 24 a patch for the flaw, tracked as CVE-2024-27322.

Kasimir Schulz, principal security researcher at HiddenLayer - which published Monday research detailing the vulnerability, told Information Security Media Group that no attacks have been reported and researchers were able to "catch up before anyone can compromise it." The Software Engineering Institute issued an alert about the flaw.

Researchers said the vulnerability lies in how the programming deserializes data - that is, how it figuratively unwraps data that's compressed - serialized - for sending across a network or for storage.

Security researchers have long known that hackers sneak malicious code into serialized data with the expectation that the computer doing the deserialization will execute the instructions, since they're putatively a part of legitimate data. Developers attempt to sanitize deserialization inputs, but Hidden Layer researchers say they found a way to force code execution.

The flaw comes down to the R data serialization process, which creates two files: an .rdb file of data objects and an .rdx file of metadata associated with each serialized object in the first file.

The deserialization process within the metadata file calls on the .rdb file for data. "For an attacker to take over an R package, all they need to do is overwrite the .rdx file with the maliciously crafted file, and when the package is loaded, it will automatically execute the code," HiddenLayer researchers wrote.

Researchers identified more than 135,000 R source files that use the readRDS serialization interface, which is vulnerable to the deserialization vulnerability. Some of the source files "included projects from R Studio, Facebook, Google, Microsoft, AWS, and other major software vendors," Hidden Layer said.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.