CVE-2024-27322: 
R for Windows vulnerability analysis and mitigation

A critical deserialization vulnerability (CVE-2024-27322) was discovered in the R statistical programming language affecting versions from 1.4.0 up to but not including 4.4.0. The vulnerability enables maliciously crafted RDS (R Data Serialization) formatted files or R packages to execute arbitrary code on an end user's system when interacted with (HiddenLayer Research, CERT VU).

The vulnerability exploits R's serialization and deserialization process through the use of promise objects and lazy evaluation. The attack involves crafting a malicious RDS file containing a promise instruction that sets the value to unbound_value and includes arbitrary code in the expression. Due to lazy evaluation, the malicious code is executed when the deserialized object is accessed. The vulnerability received a CVSS v3.1 Base Score of 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability has far-reaching implications across multiple sectors including healthcare, finance, and government agencies that use R for statistical analysis and machine learning. The issue affects over 135,000 R source files referencing readRDS, including projects from major software vendors like R Studio, Facebook, Google, Microsoft, and AWS. Additionally, the vulnerability can be exploited through R packages in the CRAN repository, which hosts over 20,000 packages, potentially enabling supply chain attacks (HiddenLayer Research).

The vulnerability has been patched in R version 4.4.0, which restricts promises in the serialization stream so they are not used for implementing lazy evaluation. Users are strongly advised to upgrade to this version or later. Fedora has also released security updates for versions 38 and 39 to address this vulnerability (Fedora Update).