search menu icon-carat-right cmu-wordmark

CERT Coordination Center

R Programming Language implementations are vulnerable to arbitrary code execution during deserialization of .rds and .rdx files

Vulnerability Note VU#238194

Original Release Date: 2024-04-29 | Last Revised: 2024-05-03

Overview

A vulnerability in the R language that allows for arbitrary code to be executed directly after the deserialization of untrusted data has been discovered. This vulnerability can be exploited through RDS (R Data Serialization) format files and .rdx files. An attacker can create malicious RDS or .rdx formatted files to execute arbitrary commands on the victim's target device.

Description

R supports data serialization, which is the process of turning R objects and data into a format that can then be deserialized in another R session. This will provide a copy of the R objects from the original session.

The RDS format, which mainly comprises .rds files, is used to save and load serialized R objects. These objects are utilized to share states and transfer data sets across programs. They are not expected to run code when they are loaded by an R implementation unless prompted by the user. R Packages use .rdx files, which contain a list of offsets, lengths, and names, and are accompanied by a .rdb file, which is used to extract more information about those offsets. .rdx and .rdb files contain RDS formatted data within themselves. A .rds file functions similarly to a .rdx file but only allows for storing a single R object. When loading a .rds or .rdx file, the readRDS function is utilized. An R implementation using the readRDS function given that information will then read the offsets and load the data.

R supports lazy evaluation. This can be implemented through a type called Promise, which can be represented in the RDS format as PROMSXP. This type is used to manage expressions that are called and completed in a asynchronous manner when their associated values are needed to be used by the program. When constructing an unserialized object in this context from the RDS format, the Promise object will require three pieces of data. These are the value of the Promise, the expression, and the environment. This information is loaded by the eval function. The eval function in R takes an expression, in this case the Promise, and evaluates it within the environment specified.

The vulnerability occurs when the eval function evaluates a promise type that has an unevaluated value. The Promise expression will not be properly evaluated and will execute the expression when it is referenced in the program that contains it. A threat actor can include malicious code within a .rds or .rdx file that is referenced by an unevaluated value. When an R implemention loads a package that contains an .rds or .rdx file and the promise value is reached, it will execute the referenced code. This code is arbitrary and will be executed prior to any opportunity for the victim to explore and see what functions or objects are within the file loaded.

Impact

An attacker can create malicious .rds and .rdx files and use social engineering to distribute those files to execute arbitrary code on the victim's device. Projects that use readRDS on untrusted files are also vulnerable to the attack. Attackers can also leverage system commands to access resources available to the application and exfiltrate data from any environment available to the application on the target device. The code in the malicious files can also be used to access adjacent resources such other computers/devices, devices in a cluster and shared documents/folders available to the application.

Solution

Apply Updates

R project has provided R Core Version 4.4.0, which addresses the vulnerability. R Core version 4.4.0 now restricts promises in the serialization stream so that they are not used for implementing lazy evaluation. Apply the update at your earliest convenience.

Secure or Sandbox RDS file usage

Protect and use untrusted/third-party .rds, rdb, and .rdx files either in Containers or in a Sandbox environment to prevent unexpected access to resources.

Acknowledgements

Thanks to the reporter, Kasimir Schulz and Kieran Evans of HiddenLayer for reporting this vulnerability. This document was written by Christopher Cullen.

Vendor Information

238194
 

R Programing Language Affected

Notified:  2024-04-08 Updated: 2024-04-29

Statement Date:   April 19, 2024

CVE-2024-27322 Affected

Vendor Statement

The report is correct; it has to be noted that a general purpose computational system such as R has always had interfaces to the underlying OS including possibilities to spawn sub processes, notably a shell with arbitrary "command line". This has been true for all such systems, APL, Matlab, Python, Julia, ... you name it. In that sense R is "too powerful" the same as other such systems in any case. The CVE-2024-27322 is just making use of this fact in a way that is very much hidden from the user.

Hence, indeed, R 4.4.0 which will be released April 24 (as source) and within a few days as Windows and Mac binaries (and eventually also redistributed via Linux distribution package systems) will no longer allow such R promises to become active in RDS files (and similar files containing serialized R objects).

------- Update (April 19): Indeed, I've checked the following R code with a recent R 4.4.0 RC (RC = release cand.) of today and now get

> x <- readRDS("pwned.rds")
Error in readRDS("pwned.rds") : cannot return a promise (PROMSXP) object

> R.version.string
[1] "R version 4.4.0 RC (2024-04-16 r86444)"
> 

which confirms that we have addressed the problem pretty generally. Note that R 4.4.0 pre-releases are available - in source from https://cran.r-project.org/ https://cran.r-project.org/src/base-prerelease/?C=M;O=D - as binary installable on Windows from https://cran.r-project.org/bin/windows/base/rtest.html

Amazon Unknown

Notified:  2024-04-23 Updated: 2024-04-29

CVE-2024-27322 Unknown

Vendor Statement

We have not received a statement from the vendor.

Google Unknown

Notified:  2024-04-23 Updated: 2024-04-29

CVE-2024-27322 Unknown

Vendor Statement

We have not received a statement from the vendor.

IBM Unknown

Notified:  2024-04-23 Updated: 2024-04-29

CVE-2024-27322 Unknown

Vendor Statement

We have not received a statement from the vendor.

Intel Unknown

Notified:  2024-04-23 Updated: 2024-04-29

CVE-2024-27322 Unknown

Vendor Statement

We have not received a statement from the vendor.

Meta Unknown

Notified:  2024-04-23 Updated: 2024-04-29

CVE-2024-27322 Unknown

Vendor Statement

We have not received a statement from the vendor.

Microsoft Unknown

Notified:  2024-04-23 Updated: 2024-04-29

CVE-2024-27322 Unknown

Vendor Statement

We have not received a statement from the vendor.

Netflix Inc. Unknown

Notified:  2024-04-23 Updated: 2024-04-29

CVE-2024-27322 Unknown

Vendor Statement

We have not received a statement from the vendor.


Other Information

CVE IDs: CVE-2024-27322
API URL: VINCE JSON | CSAF
Date Public: 2024-04-29
Date First Published: 2024-04-29
Date Last Updated: 2024-05-03 16:07 UTC
Document Revision: 3

Sponsored by CISA.