Support

RStudio Connect token vulnerability

Follow

RStudio has identified a security vulnerability in RStudio Connect. Customers who use RStudio Connect versions 1.4.0 or 1.4.2 should upgrade to 1.4.4.1 and scan for malicious tokens. The following article provides detailed instructions; for information beyond that, please contact us at support@rstudio.com.

Recently, a vulnerability was detected in the way that deploy tokens are created for RStudio Connect. Deploy tokens are the mechanism by which the rsconnect package and the RStudio IDE authenticate themselves to the RStudio Connect server. We found that deploy tokens can be used to perform arbitrary actions over Connect’s HTTP API.

This issue allows an unprivileged attacker to craft a particular request that could be used to create a token for any user on the server. The problem was discovered internally by an RStudio engineer and, after auditing our own RStudio Connect servers, we have found no evidence of this bug having been exploited.

However, in the interest of ensuring the security of our customers, we have documented the steps necessary to ensure that your server does not have any fraudulent tokens. The vulnerability was present in RStudio Connect versions 1.4.0 and 1.4.2, and was fixed in the 1.4.4.1 release. Any system running v1.4.0 or v1.4.2 should update to v1.4.4.1 immediately. Customers running the 1.4.4.1 release will no longer be at risk of having these fraudulent tokens created.

To remedy the vulnerability, use the RStudio Connect usermanager command line interface to scan for invalid tokens. This tool can only be used when the RStudio Connect service is stopped, so we recommend that you take the following steps during your next maintenance window:

  1. Download and install RStudio Connect v1.4.4.1
  2. Stop the rstudio-connect service
  3. Scan for any malicious tokens (details below)
  4. Start the rstudio-connect service

Detecting Malicious Tokens

In release v1.4.4.1, the usermanager tool can run two different checks that can identify suspicious tokens. You should run both checks and note any suspicious token.

 

First, check for tokens that were introduced without the appropriate audit log entry:

sudo /opt/rstudio-connect/bin/usermanager check -unaudited-tokens

Ideally, no active, unaudited tokens will be found.

 

Next, you can check for assigned, inactive tokens -- another sign of a problem:

sudo /opt/rstudio-connect/bin/usermanager check -assigned-inactive-tokens

Ideally, no assigned, inactive tokens will be found.

 

If any tokens were identified in either of the above checks, they should be deactivated immediately using the following command:

sudo /opt/rstudio-connect/bin/usermanager deactivate <token ID>  

Please contact us immediately at support@rstudio.com for further assistance in auditing such a token.

These steps are sufficient to confirm that no malicious activity has occurred for the majority of installations. If you are interested in investigating further or discussing the issue in more detail, please contact us at support@rstudio.com.

Have more questions? Submit a request

Comments