新的R编程漏洞暴露项目面临供应链攻击

A security vulnerability has been discovered in the R programming language that could be exploited by a threat actor to create a malicious RDS (R Data Serialization) file such that it results in code execution when loaded and referenced.

在R编程语言中发现了一个安全漏洞，可被威胁行为者利用，创建恶意的RDS（R数据序列化）文件，当加载和引用时导致代码执行。

The flaw, assigned the CVE identifier CVE-2024-27322, "involves the use of promise objects and lazy evaluation in R," AI application security company HiddenLayer said in a report shared with The Hacker News.

该漏洞分配了CVE标识符CVE-2024-27322，“涉及在R中使用promise对象和延迟评估”，AI应用安全公司HiddenLayer在与The Hacker News分享的一份报告中表示。

RDS, like pickle in Python, is a format used to serialize and save the state of data structures or objects in R, an open-source programming language used in statistical computing, data visualization, and machine learning.

RDS，类似于Python中的pickle，是一种用于在R中序列化和保存数据结构或对象状态的格式，R是一种开源编程语言，用于统计计算、数据可视化和机器学习。

This process of serialization – serialize() or saveRDS() – and deserialization – unserialize() and readRDS() – is also leveraged when saving and loading R packages.

这种序列化过程 - serialize()或saveRDS() - 和反序列化 - unserialize()和readRDS() - 在保存和加载R软件包时也被利用。

The root cause behind CVE-2024-27322 lies in the fact that it could lead to arbitrary code execution when deserializing untrusted data, thus leaving users exposed to supply chain attacks through specially crafted R packages.

CVE-2024-27322的根本原因在于当反序列化不受信任的数据时可能导致任意代码执行，从而使用户暴露于通过特别制作的R软件包进行供应链攻击的风险。

An attacker looking to weaponize the flaw could therefore take advantage of the fact that R packages leverage the RDS format to save and load data, causing automatic code execution when the package is decompressed and deserialized.

利用这个漏洞来武器化的攻击者可以利用R软件包利用RDS格式保存和加载数据的事实，导致在解压和反序列化软件包时自动执行代码。

"R packages are vulnerable to this exploit and can, therefore, be used as part of a supply chain attack via package repositories," security researchers Kasimir Schulz and Kieran Evans said. "For an attacker to take over an R package, all they need to do is overwrite the rdx file with the maliciously crafted file, and when the package is loaded, it will automatically execute the code."

安全研究人员Kasimir Schulz和Kieran Evans表示：“R软件包容易受到这种利用的攻击，因此可以通过软件包存储库作为供应链攻击的一部分使用。攻击者只需用恶意制作的文件覆盖rdx文件，当加载软件包时，它将自动执行代码。”

The security defect has been addressed in version 4.4.0 released on April 24, 2024, following responsible disclosure.

这个安全缺陷在于2024年4月24日发布的4.4.0版本中得到解决，遵循了负责任的披露。

"An attacker can exploit this [flaw] by crafting a file in RDS format that contains a promise instruction setting the value to unbound_value and the expression to contain arbitrary code," HiddenLayer said. "Due to lazy evaluation, the expression will only be evaluated and run when the symbol associated with the RDS file is accessed."

HiddenLayer表示：“攻击者可以利用这个[漏洞]制作一个包含将值设置为unbound_value并使表达式包含任意代码的RDS格式文件。由于延迟评估，只有当与RDS文件相关联的符号被访问时，表达式才会被评估和运行。”

"Therefore if this is simply an RDS file, when a user assigns it a symbol (variable) in order to work with it, the arbitrary code will be executed when the user references that symbol. If the object is compiled within an R package, the package can be added to an R repository such as CRAN, and the expression will be evaluated and the arbitrary code run when a user loads that package."

“因此，如果这只是一个RDS文件，当用户为了使用它而为其分配一个符号（变量）时，当用户引用该符号时，将执行任意代码。如果对象编译在R软件包中，该软件包可以被添加到R存储库，如CRAN，当用户加载该软件包时，表达式将被评估，任意代码将运行。”

参考资料

[1]https://thehackernews.com/2024/04/new-r-programming-vulnerability-exposes.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：新的R编程漏洞暴露项目面临供应链攻击