RStudio has identified a security vulnerability in RStudio Connect. Customers who use RStudio Connect versions 1.4.0 or 1.4.2 should upgrade to 184.108.40.206 and scan for malicious tokens. The following article provides detailed instructions; for information beyond that, please contact us at email@example.com.
Note that RStudio Connect versions 1.4.x are no longer supported, so this article is maintained for historical purposes only. For the most recent version of RStudio Connect, please visit the product page here.
Recently, a vulnerability was detected in the way that deploy tokens are created for RStudio Connect. Deploy tokens are the mechanism by which the
rsconnect package and the RStudio IDE authenticate themselves to the RStudio Connect server. We found that deploy tokens can be used to perform arbitrary actions over Connect’s HTTP API.
This issue allows an unprivileged attacker to craft a particular request that could be used to create a token for any user on the server. The problem was discovered internally by an RStudio engineer and, after auditing our own RStudio Connect servers, we have found no evidence of this bug having been exploited.
However, in the interest of ensuring the security of our customers, we have documented the steps necessary to ensure that your server does not have any fraudulent tokens. The vulnerability was present in RStudio Connect versions 1.4.0 and 1.4.2, and was fixed in the 220.127.116.11 release. Any system running v1.4.0 or v1.4.2 should update to v18.104.22.168 immediately. Customers running the 22.214.171.124 release will no longer be at risk of having these fraudulent tokens created.
To remedy the vulnerability, use the RStudio Connect
usermanager command line interface to scan for invalid tokens. This tool can only be used when the RStudio Connect service is stopped, so we recommend that you take the following steps during your next maintenance window:
- Download and install RStudio Connect v126.96.36.199
- Stop the
- Scan for any malicious tokens (details below)
- Start the
Detecting Malicious Tokens
In release v188.8.131.52, the
usermanager tool can run two different checks that can identify suspicious tokens. You should run both checks and note any suspicious token.
First, check for tokens that were introduced without the appropriate audit log entry:
sudo /opt/rstudio-connect/bin/usermanager check -unaudited-tokens
Ideally, no active, unaudited tokens will be found.
Next, you can check for assigned, inactive tokens -- another sign of a problem:
sudo /opt/rstudio-connect/bin/usermanager check -assigned-inactive-tokens
Ideally, no assigned, inactive tokens will be found.
If any tokens were identified in either of the above checks, they should be deactivated immediately using the following command:
sudo /opt/rstudio-connect/bin/usermanager deactivate <token ID>
Please contact us immediately at firstname.lastname@example.org for further assistance in auditing such a token.
These steps are sufficient to confirm that no malicious activity has occurred for the majority of installations. If you are interested in investigating further or discussing the issue in more detail, please contact us at email@example.com.