On April 29, 2024, security researchers discovered a vulnerability that affects version 4.3 (and earlier) of the R programming language. The vulnerability allows a threat actor to arbitrarily execute code on targeted devices. The full details are here.

This vulnerability is solved in R version 4.4, which is available on DataLab. You are strongly advised to upgrade the R version of workbooks you’re actively using from R version 4.2 to R version 4.4.

Impact

An attacker can create malicious .rds and .rdx files and use social engineering to distribute those files to execute arbitrary code on the victim’s device. Projects that use readRDS on untrusted files are also vulnerable to the attack. Attackers can also leverage system commands to access resources available to the application and exfiltrate data from any environment available to the application on the target device. The code in the malicious files can also be used to access adjacent resources such other computers/devices, devices in a cluster and shared documents/folders available to the application.

My site is free of ads and trackers. Was this post helpful to you? Why not BuyMeACoffee


Reference:

  1. R Programming Language implementations are vulnerable to arbitrary code execution during deserialization of .rds and .rdx files