[R] registry vulnerabilities in R

Bert Gunter gunter.berton at gene.com
Wed May 9 07:22:22 CEST 2012 

I am totally ignorant on these matters, but ..

R is open source statistical software written largely for (and used a
lot by) academics for research. So I would not be surprised if it has
"security vulnerabilities". As usual, the GPL explicitly exempts the R
organization from any responsibility on these matters. "R comes with
no guarantees."

That said, you'd have to check with R core about how they try to
defend against errant code being deposited on CRAN and distributed.
AFAICS, they do a damn good job. Ar least, I've never heard of
complaints of problems.

-- Bert

On Tue, May 8, 2012 at 8:10 AM, Paul Martin <pamartin at alum.mit.edu> wrote:
>
>   Kirtland Air Force Base has denied approval for the use of R on its
>   Windows network. Some of their objections seem a bit strange, but some
>   appear  to  be  legitimate. In particular, they have detected registry
>   "vulnerabilities"
>   which are detailed in the attachment.
>   I know nothing about Windows registry vulnerabilities. If any of these
>   issues are
>   legitimate concerns, I would like to see them fixed for everyone's benefit.
>   I would
>   appreciate a referral to the appropriate forum for this information. I am
>   willing
>   to  assist  in  getting  questions  answered  and gathering additional
>   information.
>   Thank you,
>   Paul Martin
>   Air Force Research Laboratory
>   Kirtland Air Force Base
>   Albuquerque, New Mexico
>   -------- Original Message --------
>
>   Subject: FW: R/RStudio Software
>   Date: Fri, 4 May 2012 15:15:20 -0600
>   From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
>   [1]<Paul.Martin at kirtland.af.mil>
>   To: [2]<pamartin at alum.mit.edu>
>
> -----Original Message-----
> From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Sent: Friday, May 04, 2012 3:13 PM
> To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Subject: RE: R/RStudio Software
>
> Mr. Martin,
>
> Rstudio is an IDE for writing R code. I installed Rstudio first but it
> doesn't work without R so I tested them together.
>
> When I test a software usually the registry analysis file is blank. But this
> one happen to have numerous registry vulnerabilities - see attached. Most of
> them I even don't know if affects the software.
> Collaboration P2P Host In TCP/Out TCP allowed seemed troubling.
>
> Thanks,
> Suman
>
> -----Original Message-----
> From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Sent: Friday, May 04, 2012 2:51 PM
> To: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Subject: RE: R/RStudio Software
>
> Ms. Goel,
>
> Sorry to bother you again with this, but I have two more questions:
>
> 1. Were these vulnerabilities found in both R and RStudio?
>
> 2. Could you be more explicit about the registry vulnerabilities? This is
> the only item
> where I could potentially get some issues addressed. Even if I cannot get
> this software
> on the NIPRNET, I can pass along your discoveries and help the community
> improve their
> code.
>
> Thank you,
>
> Paul Martin
>
> -----Original Message-----
> From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Sent: Friday, May 04, 2012 2:34 PM
> To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Cc: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Subject: RE: R/RStudio Software
>
> Mr. Martin,
>
> Thank you for understanding. Here are some examples of vulnerabilities.
>
> Numerous forbidden file extensions.
> Numerous registry vulnerabilities
> Network connections to foreign IP address
>
> Many vulnerabilities are firewall policies related under restricted
> services.
>
> Once again Thank you,
>
> Respectfully,
> Suman
>
>
> -----Original Message-----
> From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Sent: Friday, May 04, 2012 2:12 PM
> To: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Subject: RE: R/RStudio Software
>
> Suman,
>
>
>
> Thank you for your reply. If it is not too much trouble, could you enumerate
> the issues you found, so that I can forward the list to the team maintaining
> the R software? I have no idea what kind of response to expect, but these
> people should at least be aware of the issues.
>
>
>
> Thank you.
>
>
>
> Paul Martin
>
>
>
> From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Sent: Friday, May 04, 2012 2:07 PM
> To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Cc: Motes, Raymond A Civ USAF AFMC AFRL/RVSE; Serafico, Romeo G Civ USAF
> AFMC AFRL/RVIO; Mickey, Dallas C Civ USAF AFMC AFRL/RVIO; Trujillo, Lloyd P
> Civ USAF AFMC AFRL/RVIO
> Subject: R/RStudio Software
>
>
>
> Mr. Martin,
>
>
>
> After completing the vulnerability analysis, we decided to decline to
> approve R/RStudio software on the NIPRNet. We discovered many unmitigated
> risks and numerous registry vulnerabilities.  Above mentioned open source
> software poses high risks to the NIPRNet. We recommend using software from
> the Kirtland Base approved list. Here are some examples of the base approved
> statistical software:
>
>
>
> SPSS v19.x
>
> LISREL v8.x
>
> JMP v8.x - Soon to be certify JMP v9 or 10
>
> Matlab v7.x
>
> Mathematica v8.x
>
> OriginPro v8.x
>
>
>
> If you like, we can add following statistical software on the base list,
> which will be available on May 25th.
>
>
>
> Minitab v16.x
>
> SAS v9.x
>
> Maple v15.x
>
>
>
> In addition, please let us know if you have any other proprietary
> statistical software in mind. We can get those certified for the Base ATO.
>
>
>
> I apologize this may cause interruption in your project. Most proprietary
> software are safe for NIPRNet use but this one caused some concerns.
> However, this can be continued for standalone system. Please accept my
> humble apology.
>
>
>
>
>
> Thanks,
>
>
>
> Respectfully,
>
> Suman Goel
>
> 505-846-5357
>
> AFRL/RVIO
>
> References
>
>   1. mailto:Paul.Martin at kirtland.af.mil
>   2. mailto:pamartin at alum.mit.edu
>
> ______________________________________________
> R-help at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>



-- 

Bert Gunter
Genentech Nonclinical Biostatistics

Internal Contact Info:
Phone: 467-7374
Website:
http://pharmadevelopment.roche.com/index/pdb/pdb-functional-groups/pdb-biostatistics/pdb-ncb-home.htm

More information about the R-help mailing list