Vulnerability Threatens Users in Critical Government, Medical, and Financial Sectors

AUSTIN, Texas, April 29, 2024 /PRNewswire/ — HiddenLayer, the leading security provider for artificial intelligence (AI) models and assets, has exposed a vulnerability in R, an open-source statistical programming language. This threat leaves users across critical sectors, including government, medical, and financial industries, vulnerable to targeted and supply chain attacks.

R is an open-source programming language and software environment for statistical computing, data visualization, and machine learning. HiddenLayer researchers discovered a vulnerability, CVE-2024-27322, that allows for arbitrary code execution by deserializing untrusted data. This can be exploited through the loading of RDS (R Data Serialization) files or R packages, which are often shared between developers and data scientists. Researchers found that an attacker could create malicious RDS files or R packages containing embedded arbitrary R code that executes on the victim’s target device upon interaction.

This carries significant implications given the widespread use of the R language among major organizations in the healthcare, finance, and government industries, as evidenced by R conferences which previously featured speakers from NASA, the World Health Organization (WHO), the US Food and Drug Administration (FDA), and the US Army. R has also become increasingly popular in the AI/ML field due to its usage of large datasets and dedicated following in the open-source community, with projects like Bioconductor being referenced in their documentation, boasting over 42 million downloads, and The Comprehensive R Archive Network (CRAN) repository hosting over 20,000 packages to date. Projects containing potentially vulnerable code were found within GitHub repositories from R Studio, Facebook, Google, Microsoft, AWS, and other major software vendors.

“R is indispensable across many critical sectors for its analytical capabilities and growing popularity to power machine learning projects. Its collaborative ecosystem fosters flexibility and innovation,” said Chris (Tito) Sestito, co-founder and CEO of HiddenLayer. “We appreciate the collaboration with R and CISA that swiftly addressed this vulnerability, ensuring our clients and wider industries can continue safely utilizing these platforms.”

As the rapid integration of AI outpaces the deployment of adequate security measures, organizations must implement more stringent security protocols for AI technologies. HiddenLayer’s AISec Platform provides a comprehensive suite of products designed to safeguard ML models against adversarial attacks, vulnerabilities, and malicious code injections, offering organizations defense against emerging threats to AI. The AISec Platform will provide protection from this vulnerability in its Q2 product release.

Learn more about this vulnerability in HiddenLayer’s blog post “R-bitrary Code Execution: Vulnerability in R’s Deserialization.”

Following our responsible disclosure process, HiddenLayer worked closely with the team at R who worked quickly to patch this vulnerability within the most recent release – R v4.4.0, and CISA to support remediation efforts.

About HiddenLayer
HiddenLayer is the leading provider of security for AI. Its security platform helps enterprises safeguard the machine learning models behind their most important products. HiddenLayer is the only company to offer turnkey security for AI that does not add unnecessary complexity to models and does not require access to raw data and algorithms. Founded by a team with deep roots in security and ML, HiddenLayer aims to protect enterprise AI from inference, bypass, extraction attacks, and model theft. The company is backed by a group of strategic investors, including M12, Microsoft’s Venture Fund, Moore Strategic Ventures, Booz Allen Ventures, IBM Ventures, and Capital One Ventures.

Contact
Maia Gryskiewicz
SutherlandGold for HiddenLayer
hiddenlayer@sutherlandgold.com

View original content to download multimedia:https://www.prnewswire.com/news-releases/hiddenlayer-uncovers-deserialization-vulnerability-in-open-source-programming-language-r-302129915.html

SOURCE HiddenLayer