May 2, 2024

R Programming Language Vulnerable to Attack

By

Matthew Fagan, Access Point Consulting

By

Access Point Consulting

Summary

A vulnerability present in the R programming language on versions 1.4.0 through 4.4.0., categorized as CVE-2024-27322 (CVSSv3: 8.8), allows a remote attacker to send a maliciously crafted RDS-formatted file or R package to run arbitrary code on a user’s system. This vulnerability requires the user to interact with the RDS formatted file or R package. The research for this vulnerability comes from HiddenLayer.

Impact Assessment

Hidden Layer provides an in-depth assessment of the scope and impact of this vulnerability. According to their research, one of the functions that can be used to exploit this vulnerability appeared in GitHub repositories over 135,000 times. They believe it can be used in a supply chain attack because projects with vulnerable code are used from major software vendors such as R Studio, Facebook, Google, Microsoft, AWS, etc.

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely with user interaction using an RDS file or an R package.

What It Means for You

If you or your organization uses the R programming language in any capacity, performing an update to R v4.4.0 is paramount. Given the extensive research done and demos of exploitation by Hidden Layer, it is only a matter of time before a threat actor utilizes this vulnerability maliciously.

Remediation

Update R to version 4.4.0 or later for vulnerability remediation.

Business Implications

Exploitation of this vulnerability could affect a critical portion of the business. The R programming language is typically used with a wide variety of applications and services. If exploited, it could result in remote code execution with user interaction, which could greatly affect the business’ bottom line because the users of R often work with financial data. When this is the case, monetary and data losses are sure to follow an exploitation.

Access Point Consulting Recommends

Patch: Applying the patch to R to update to v 4.4.0 is the best method to mitigate this vulnerability.

Protect and train users: Due to this vulnerability requiring user interaction, it is important to monitor users and ensure malicious RDS formatted files or R packages reach these users. An advisory to users within your organization about this vulnerability is also recommended.

Associated Bulletins

https://jennhuck.github.io/workshops/install_update_R.html#Installing_RStudio

https://hiddenlayer.com/research/r-bitrary-code-execution/

https://nvd.nist.gov/vuln/detail/CVE-2024-27322

 

Resources

CyberWatch

May 16, 2024

Ransomware Pandemic Hits Ascension Hospitals

On May 9, Ascension, a leading private healthcare provider managing 140 hospitals across the United States, confirmed experiencing a significant ransomware attack initiated by the Black Basta group. This cybersecurity breach was first detected the day before, May 8, because of unusual activity on the organization's network systems. The attack severely disrupted operations, leading to delays and postponements of patient appointments and other healthcare services.

Find out more
May 16, 2024

Two Exploited Zero-Day Vulnerabilities Patched

Microsoft released their security updates for May of 2024 which include fixes for two zero-day vulnerabilities: CVE-2024-30040 (CVSSv3: 8.8) and CVE-2024-30051 (CVSSv3:7.8). CVE-2024-30051 (Windows DWM Core Library Elevation of Privilege Vulnerability) allows for a local attacker to exploit this vulnerability to gain system-level privileges. CVE-2024-30040 (Windows MSHTML Platform Security Feature Bypass Vulnerability) allows a remote attacker to bypass OLE mitigations in M365 and Microsoft Office that protect users from vulnerable COM/OLE controls. It requires an attacker to convince a user to load a malicious file into a vulnerable system and manipulate it. This can allow an unauthenticated attacker to achieve remote arbitrary code execution from the context of the user. Both of these vulnerabilities are known to be exploited and have each been added to CISA’s Known Exploited Vulnerabilities Catalog, giving them a heightened patch priority and associated risk.

Find out more
May 10, 2024

Fix Available for Use-After-Free Vulnerability in Tinyproxy

This is a vulnerability that exists in HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.1 classified as CVE-2024-49606 (CVSSv3: 9.8). Cisco Talos security researchers describe this vulnerability as a use-after-free which exists in the HTTP Connection Headers of vulnerable versions of tiny proxy. Utilizing a specially crafted HTTP header can trigger reuse of previously freed memory which leads to memory corruption and can potentially lead to remote code execution. This method does not require authentication. This vulnerability is considered a zero day, but a fix has been made available through GitHub.

Find out more

Peace of mind starts today, with Access Point Consulting

Meet with an Expert