[R] registry vulnerabilities in R
Duncan Murdoch
murdoch.duncan at gmail.com
Wed May 9 16:57:22 CEST 2012
On 08/05/2012 11:10 AM, Paul Martin wrote:
> Kirtland Air Force Base has denied approval for the use of R on its
> Windows network. Some of their objections seem a bit strange, but some
> appear to be legitimate. In particular, they have detected registry
> "vulnerabilities"
> which are detailed in the attachment.
I suspect their test is wrong, but I can't say for sure, because they
apparently tested R within RStudio. I know R didn't have anything to do
with most of those registry entries that were listed, and I strongly
suspect RStudio didn't either.
I'd suggest that if you want to use R, just ask them to test R. It's
nice to have the RStudio front end, but you don't need it.
Once R is accepted, you could ask for an RStudio test if you want.
On the other hand, R is not safe to install, in the sense that it does
give programs access to anything the user has access to. I am pretty
sure that's also true of at least Matlab and Mathematica in the list of
alternatives you were given.
Duncan Murdoch
> I know nothing about Windows registry vulnerabilities. If any of these
> issues are
> legitimate concerns, I would like to see them fixed for everyone's benefit.
> I would
> appreciate a referral to the appropriate forum for this information. I am
> willing
> to assist in getting questions answered and gathering additional
> information.
> Thank you,
> Paul Martin
> Air Force Research Laboratory
> Kirtland Air Force Base
> Albuquerque, New Mexico
> -------- Original Message --------
>
> Subject: FW: R/RStudio Software
> Date: Fri, 4 May 2012 15:15:20 -0600
> From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> [1]<Paul.Martin at kirtland.af.mil>
> To: [2]<pamartin at alum.mit.edu>
>
> -----Original Message-----
> From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Sent: Friday, May 04, 2012 3:13 PM
> To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Subject: RE: R/RStudio Software
>
> Mr. Martin,
>
> Rstudio is an IDE for writing R code. I installed Rstudio first but it
> doesn't work without R so I tested them together.
>
> When I test a software usually the registry analysis file is blank. But this
> one happen to have numerous registry vulnerabilities - see attached. Most of
> them I even don't know if affects the software.
> Collaboration P2P Host In TCP/Out TCP allowed seemed troubling.
>
> Thanks,
> Suman
>
> -----Original Message-----
> From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Sent: Friday, May 04, 2012 2:51 PM
> To: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Subject: RE: R/RStudio Software
>
> Ms. Goel,
>
> Sorry to bother you again with this, but I have two more questions:
>
> 1. Were these vulnerabilities found in both R and RStudio?
>
> 2. Could you be more explicit about the registry vulnerabilities? This is
> the only item
> where I could potentially get some issues addressed. Even if I cannot get
> this software
> on the NIPRNET, I can pass along your discoveries and help the community
> improve their
> code.
>
> Thank you,
>
> Paul Martin
>
> -----Original Message-----
> From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Sent: Friday, May 04, 2012 2:34 PM
> To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Cc: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Subject: RE: R/RStudio Software
>
> Mr. Martin,
>
> Thank you for understanding. Here are some examples of vulnerabilities.
>
> Numerous forbidden file extensions.
> Numerous registry vulnerabilities
> Network connections to foreign IP address
>
> Many vulnerabilities are firewall policies related under restricted
> services.
>
> Once again Thank you,
>
> Respectfully,
> Suman
>
>
> -----Original Message-----
> From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Sent: Friday, May 04, 2012 2:12 PM
> To: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Subject: RE: R/RStudio Software
>
> Suman,
>
>
>
> Thank you for your reply. If it is not too much trouble, could you enumerate
> the issues you found, so that I can forward the list to the team maintaining
> the R software? I have no idea what kind of response to expect, but these
> people should at least be aware of the issues.
>
>
>
> Thank you.
>
>
>
> Paul Martin
>
>
>
> From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Sent: Friday, May 04, 2012 2:07 PM
> To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Cc: Motes, Raymond A Civ USAF AFMC AFRL/RVSE; Serafico, Romeo G Civ USAF
> AFMC AFRL/RVIO; Mickey, Dallas C Civ USAF AFMC AFRL/RVIO; Trujillo, Lloyd P
> Civ USAF AFMC AFRL/RVIO
> Subject: R/RStudio Software
>
>
>
> Mr. Martin,
>
>
>
> After completing the vulnerability analysis, we decided to decline to
> approve R/RStudio software on the NIPRNet. We discovered many unmitigated
> risks and numerous registry vulnerabilities. Above mentioned open source
> software poses high risks to the NIPRNet. We recommend using software from
> the Kirtland Base approved list. Here are some examples of the base approved
> statistical software:
>
>
>
> SPSS v19.x
>
> LISREL v8.x
>
> JMP v8.x - Soon to be certify JMP v9 or 10
>
> Matlab v7.x
>
> Mathematica v8.x
>
> OriginPro v8.x
>
>
>
> If you like, we can add following statistical software on the base list,
> which will be available on May 25th.
>
>
>
> Minitab v16.x
>
> SAS v9.x
>
> Maple v15.x
>
>
>
> In addition, please let us know if you have any other proprietary
> statistical software in mind. We can get those certified for the Base ATO.
>
>
>
> I apologize this may cause interruption in your project. Most proprietary
> software are safe for NIPRNet use but this one caused some concerns.
> However, this can be continued for standalone system. Please accept my
> humble apology.
>
>
>
>
>
> Thanks,
>
>
>
> Respectfully,
>
> Suman Goel
>
> 505-846-5357
>
> AFRL/RVIO
>
> References
>
> 1. mailto:Paul.Martin at kirtland.af.mil
> 2. mailto:pamartin at alum.mit.edu
>
>
> ______________________________________________
> R-help at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
More information about the R-help
mailing list