A recently disclosed vulnerability in the R programming language could provide attackers with a foothold to execute arbitrary commands on a system running an unpatched version of R. R is a language widely used at UVM by researchers for a variety of tasks, including statistical analysis and data visualization.
This vulnerability has not yet been assigned a severity score, but is tracked as CVE-2024-27322. Given that this appears to be easy to exploit and to have potentially severe consequences, it should be treated as critical at this time. Exploitation of the vulnerability requires that attackers alter an R Data Serialization (RDS) file, which can then be included in publicly available R packages. In addition to arbitrary code run within the affected program itself, any commands run as a result of this exploit will run with the permissions of the parent package, potentially permitting lateral movement. A good technical summary is available here.
CVE-2024-27322 affects all versions of R prior to 4.4.0. Installations of R should be updated to 4.4.0 or later as soon as possible. In addition, use extreme caution in installing new packages in unpatched instances until an update is possible.