Prior to RStudio version 0.99.473, the RStudio integrated toolset for Windows is installed and updated in an insecure manner. A remote attacker could leverage these flaws to run arbitrary code in the context of the system Administrator by leveraging two particular flaws in the update process, and as the RStudio user via the third update process flaw. This advisory will discuss all three issues.
Since reporting these issues, RStudio version 0.99.473 has been released. This version addresses all of the below concerns. End-users and distributors of RStudio are encouraged to update to this latest version. In addition, R version 3.2.2 was released and now uses HTTPS internally for package updates by default.
RStudio, Inc. has shown they are committed to security and continues to be remarkably responsive to this set of vulnerability disclosures, both by fixing their own update implementations, and working with the larger R community to address related issues.
R7-2015-10.1: Cleartext-only Initial Installation of RStudio
The initial, recommended installation procedure is conducted over HTTP, rather than HTTPS, and the download source page is delivered over HTTP as well, with no HTTPS equivalent. By poisoning the initial installation, the attacker can gain control of the target with Administrator privileges.
R7-2015-10.2: Cleartext-only Installation of R Packages
The procedure for installing common R packages (programming libraries) also uses cleartext HTTP, and there appears to be no way to specify an HTTPS or other cryptographically secure source. Upon using a poisoned R package, an attacker can gain control of the target with the privileges of the R user.
In most cases, the first and second vulnerabilities can only be leveraged by an attacker who has access to the local LAN environment, or has some level of control over the upstream network. Attacks would involve either perform man-in-the-middle networking attacks or DNS poisoning at the time of installation of the affected components.
R7-2015-10.3: Cleartext-only Update Procedure
As with library installations, in-product library and application updates are also conducted over cleartext HTTP. As with initial installation, cryptographic hashes are provided in order to validate updates, but those hashes are themselves delivered in the clear.
RStudio is a development environment for R. R is a programming language used largely for developing software in the fields of statistical analysis, machine learning, data science, and similar domains. RStudio is maintained by RStudio, Inc., and is an affiliated project with the Foundation for Open Access Statistics (FOAS).
R (the language) and the Comprehensive R Archive Network (CRAN) is maintained by the R Foundation.
While it is difficult to gauge how many installations are affected, R is the third most popular software package mentioned in academic papers, and the fifth most cited analytics software package in current job listings, according to The Popularity of Data Analysis Software by Robert A. Muenchen.
Installing and updating RStudio requires Administrator privileges.
These vulnerabilities were reported by Tod Beardsley of Rapid7, Inc.
An unauthenticated, remote attacker may exploit these vulnerabilities under certain circumstances. While local machine access is not required, local or upstream network access is. An attacker would need to have the ability to alter the cleartext communication between the intended source of software -- www.rstudio.org and download1.rstudio.org in the case of R7-2015-10.1 and R7-2015-10.3, or several package-hosting domains including cran.rstudio.org and www.stats.ox.ac.uk in the case of R7-2015-10.2. The easiest way to achieve this would be through a DNS Hijacking attack on these domains. This would require an attacker capable of either altering DNS responses in flight, by posing as a legitimate DNS server, or by poisoning a cached response on the DNS server.
A more complex attack would involve a Man-in-the-Middle (MITM) attack which would intercept the cleartext TCP/IP packets or cleartext HTTP responses, and rewriting legitimate responses to provide the attacker-supplied data.
Both the DNS Hijacking and MITM attacks would require the attacker to either have some control over the local network, the network providing DNS or HTTP responses, or a hop in between. In the case of public, shared Wifi, this is easily accomplished using standard Wireless Access Point spoofing techniques.
Note that in the case of R7-2015-10.3 and R7-2015-10.2 for package installation, package update, and application updates, the existing mechanism for obtaining packages and updates relies on providing a trusted URL over an untrusted channel. Altering this response is all that is needed in order to successfully exploit the target.
To illustrate, a request for an update, which happens automatically upon startup, can be simulated as:
$ curl -iHL "http://www.rstudio.org/links/check_for_update?version=0.1.1&os=windows&format=kvp" HTTP/1.1 200 OK Date: Tue, 30 Jun 2015 14:08:46 GMT Server: Apache/2.2.29 Content-Length: 190 Content-Type: text/html; charset=UTF-8 update-version=0.99.441&update-url=http%3A%2F%2Fwww.rstudio.org%2Fdownload%2Fdesktop&update-message=RStudio%200.99.441%20is%20now%20available%20%28you%27re%20using%200.1.1%29&update-urgent=0
Patches and Mitigations
Updating to the latest version of RStudio effectively remedies all of the issues described here. Updates can be obtained at https://www.rstudio.com/products/rstudio/download/. Note the HTTPS transport.
In addition, the core R language has also been updated to prefer secure package retrieval. This is detailed in the R Release notes.
What follows is advice for securing environments in the event patching production systems is delayed. These strategies should considered short-term, partial solutions until updated versions are obtained and installed.
In the absence of a patch, one practical mitigation to these vulnerabilities for the user is to ensure that the local network is, in fact, trusted, and only trusted users and machines are permitted to connect to it during the installation and update to RStudio and R packages. While these attacks may occur upstream from the target's local network, such an attack would take significantly more control and planning to execute.
One way to mitigate this issue today is to obtain a copy of the RStudio installer from a trusted party over a reasonably secure mechanism, such as an HTTPS website or a signed PGP package delivery system. Debian's apt-based distribution, for example, provides a normally highly secure package installation platform.
RStudio does provide a mechanism to install packages locally, provided a local path, which can be used to mitigate the direct effects of R7-2015-10.2. However, this depends on the user having some external, trusted mechanism to validate the packages to be installed, and would prevent the user from using the built-in install and update packages functionality.
While package updates do not appear to occur automatically, application update checks happen with every start. This can be avoided by unchecking the "Automatically notify me of updates to RStudio" option under "Tools: Global Options: General," and not checking for updates in-product.
JJ Allaire published an in-depth blog post entitled, Secure Package Downloads for R, at http://blog.rstudio.org/2015/08/17/secure-https-connections-for-r/
Tal Galili highlighted the switch from HTTP to HTTPS as a default mechanism for package updates in his blog post, http://www.r-statistics.com/2015/08/r-3-2-2-is-released/
The R Consortium has produced a backwards-compatible best practices guide for using R securely, at https://www.r-consortium.org/news/blogs/2015/08/best-practices-using-r-securely .
This vulnerability advisory was prepared in accordance with Rapid7's disclosure policy. Initial contact was attempted through the R Project (r-project.org), and then successfully established with the vendor directly.
Thu, Jun 11, 2015: Initial discovery by Tod Beardsley, Rapid7, Inc.
Thu, Jun 11, 2015: Attempt to contact email@example.com (failed)
Mon, Jun 29, 2015: Attempt to contact firstname.lastname@example.org
Tue, Jun 30, 2015: Response from the vendor and details provided
Mon, Jul 13, 2015: Analysis and updates by the vendor
Tue, Jul 14, 2015: Disclose details to CERT/CC (email@example.com), VU#734892
Wed, Aug 12, 2015: RStudio 0.99.473 is released, addressing all issues.
Fri, Aug 14, 2015: R 3.2.2 is released, supporting default HTTPS updates
Wed, Aug 19, 2015: Status updates are provided by the vendor
Fri, Aug 28, 2015: Public disclosure
The timeline for disclosure and the associated blog posts referenced above show that not only has RStudio addressed these issues quickly and effectively, but that they worked closely with the larger R community to ensure that the commercial and academic user bases for R and RStudio can operate in a safe and secure manner. RStudio, Inc. is a model Internet citizen when it comes to vulnerability handling and coordinated disclosure.