![]() RStudio is a development environment for R. As with initial installation, cryptographic hashes are provided in order to validate updates, but those hashes are themselves delivered in the clear. R7-2015-10.3: Cleartext-only Update ProcedureĪs with library installations, in-product library and application updates are also conducted over cleartext HTTP. Attacks would involve either perform man-in-the-middle networking attacks or DNS poisoning at the time of installation of the affected components. In most cases, the first and second vulnerabilities can only be leveraged by an attacker who has access to the local LAN environment, or has some level of control over the upstream network. Upon using a poisoned R package, an attacker can gain control of the target with the privileges of the R user. The procedure for installing common R packages (programming libraries) also uses cleartext HTTP, and there appears to be no way to specify an HTTPS or other cryptographically secure source. R7-2015-10.2: Cleartext-only Installation of R Packages ![]() By poisoning the initial installation, the attacker can gain control of the target with Administrator privileges. ![]() The initial, recommended installation procedure is conducted over HTTP, rather than HTTPS, and the download source page is delivered over HTTP as well, with no HTTPS equivalent. R7-2015-10.1: Cleartext-only Initial Installation of RStudio has shown they are committed to security and continues to be remarkably responsive to this set of vulnerability disclosures, both by fixing their own update implementations, and working with the larger R community to address related issues. In addition, R version 3.2.2 was released and now uses HTTPS internally for package updates by default. End-users and distributors of RStudio are encouraged to update to this latest version. This version addresses all of the below concerns. Since reporting these issues, RStudio version 0.99.473 has been released. This advisory will discuss all three issues. A remote attacker could leverage these flaws to run arbitrary code in the context of the system Administrator by leveraging two particular flaws in the update process, and as the RStudio user via the third update process flaw. Prior to RStudio version 0.99.473, the RStudio integrated toolset for Windows is installed and updated in an insecure manner.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |