HiddenLayer Uncovers Deserialization Vulnerability in Open-Source Programming Language, R

HiddenLayer

HiddenLayer, the leading security provider for artificial intelligence (AI) models and assets, has exposed a vulnerability in R, an open-source statistical programming language. This threat leaves users across critical sectors, including government, medical, and financial industries, vulnerable to targeted and supply chain attacks.

R is an open-source programming language and software environment for statistical computing, data visualization, and machine learning. HiddenLayer researchers discovered a vulnerability, CVE-2024-27322, that allows for arbitrary code execution by deserializing untrusted data. This can be exploited through the loading of RDS (R Data Serialization) files or R packages, which are often shared between developers and data scientists. Researchers found that an attacker could create malicious RDS files or R packages containing embedded arbitrary R code that executes on the victim’s target device upon interaction.

This carries significant implications given the widespread use of the R language among major organizations in the healthcare, finance, and government industries, as evidenced by R conferences which previously featured speakers from NASA, the World Health Organization (WHO), the US Food and Drug Administration (FDA), and the US Army. R has also become increasingly popular in the AI/ML field due to its usage of large datasets and dedicated following in the open-source community, with projects like Bioconductor being referenced in their documentation, boasting over 42 million downloads, and The Comprehensive R Archive Network (CRAN) repository hosting over 20,000 packages to date. Projects containing potentially vulnerable code were found within GitHub repositories from R Studio, Facebook, Google, Microsoft, AWS, and other major software vendors.

Also Read: VistaVu Solutions Achieves GROW with SAP Designation

“R is indispensable across many critical sectors for its analytical capabilities and growing popularity to power machine learning projects. Its collaborative ecosystem fosters flexibility and innovation,” said Chris (Tito) Sestito, co-founder and CEO of HiddenLayer. “We appreciate the collaboration with R and CISA that swiftly addressed this vulnerability, ensuring our clients and wider industries can continue safely utilizing these platforms.”

As the rapid integration of AI outpaces the deployment of adequate security measures, organizations must implement more stringent security protocols for AI technologies. HiddenLayer‘s AISec Platform provides a comprehensive suite of products designed to safeguard ML models against adversarial attacks, vulnerabilities, and malicious code injections, offering organizations defense against emerging threats to AI. The AISec Platform will provide protection from this vulnerability in its Q2 product release.

SOURCE: PRNewsWire