registry vulnerabilities in R
I am totally ignorant on these matters, but .. R is open source statistical software written largely for (and used a lot by) academics for research. So I would not be surprised if it has "security vulnerabilities". As usual, the GPL explicitly exempts the R organization from any responsibility on these matters. "R comes with no guarantees." That said, you'd have to check with R core about how they try to defend against errant code being deposited on CRAN and distributed. AFAICS, they do a damn good job. Ar least, I've never heard of complaints of problems. -- Bert
On Tue, May 8, 2012 at 8:10 AM, Paul Martin <pamartin at alum.mit.edu> wrote:
? Kirtland Air Force Base has denied approval for the use of R on its ? Windows network. Some of their objections seem a bit strange, but some ? appear ?to ?be ?legitimate. In particular, they have detected registry ? "vulnerabilities" ? which are detailed in the attachment. ? I know nothing about Windows registry vulnerabilities. If any of these ? issues are ? legitimate concerns, I would like to see them fixed for everyone's benefit. ? I would ? appreciate a referral to the appropriate forum for this information. I am ? willing ? to ?assist ?in ?getting ?questions ?answered ?and gathering additional ? information. ? Thank you, ? Paul Martin ? Air Force Research Laboratory ? Kirtland Air Force Base ? Albuquerque, New Mexico ? -------- Original Message -------- ? Subject: FW: R/RStudio Software ? Date: Fri, 4 May 2012 15:15:20 -0600 ? From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF ? [1]<Paul.Martin at kirtland.af.mil> ? To: [2]<pamartin at alum.mit.edu> -----Original Message----- From: Goel, Suman K Civ USAF AFMC AFRL/RVIO Sent: Friday, May 04, 2012 3:13 PM To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Subject: RE: R/RStudio Software Mr. Martin, Rstudio is an IDE for writing R code. I installed Rstudio first but it doesn't work without R so I tested them together. When I test a software usually the registry analysis file is blank. But this one happen to have numerous registry vulnerabilities - see attached. Most of them I even don't know if affects the software. Collaboration P2P Host In TCP/Out TCP allowed seemed troubling. Thanks, Suman -----Original Message----- From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Sent: Friday, May 04, 2012 2:51 PM To: Goel, Suman K Civ USAF AFMC AFRL/RVIO Subject: RE: R/RStudio Software Ms. Goel, Sorry to bother you again with this, but I have two more questions: 1. Were these vulnerabilities found in both R and RStudio? 2. Could you be more explicit about the registry vulnerabilities? This is the only item where I could potentially get some issues addressed. Even if I cannot get this software on the NIPRNET, I can pass along your discoveries and help the community improve their code. Thank you, Paul Martin -----Original Message----- From: Goel, Suman K Civ USAF AFMC AFRL/RVIO Sent: Friday, May 04, 2012 2:34 PM To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Cc: Goel, Suman K Civ USAF AFMC AFRL/RVIO Subject: RE: R/RStudio Software Mr. Martin, Thank you for understanding. Here are some examples of vulnerabilities. Numerous forbidden file extensions. Numerous registry vulnerabilities Network connections to foreign IP address Many vulnerabilities are firewall policies related under restricted services. Once again Thank you, Respectfully, Suman -----Original Message----- From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Sent: Friday, May 04, 2012 2:12 PM To: Goel, Suman K Civ USAF AFMC AFRL/RVIO Subject: RE: R/RStudio Software Suman, Thank you for your reply. If it is not too much trouble, could you enumerate the issues you found, so that I can forward the list to the team maintaining the R software? I have no idea what kind of response to expect, but these people should at least be aware of the issues. Thank you. Paul Martin From: Goel, Suman K Civ USAF AFMC AFRL/RVIO Sent: Friday, May 04, 2012 2:07 PM To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Cc: Motes, Raymond A Civ USAF AFMC AFRL/RVSE; Serafico, Romeo G Civ USAF AFMC AFRL/RVIO; Mickey, Dallas C Civ USAF AFMC AFRL/RVIO; Trujillo, Lloyd P Civ USAF AFMC AFRL/RVIO Subject: R/RStudio Software Mr. Martin, After completing the vulnerability analysis, we decided to decline to approve R/RStudio software on the NIPRNet. We discovered many unmitigated risks and numerous registry vulnerabilities. ?Above mentioned open source software poses high risks to the NIPRNet. We recommend using software from the Kirtland Base approved list. Here are some examples of the base approved statistical software: SPSS v19.x LISREL v8.x JMP v8.x - Soon to be certify JMP v9 or 10 Matlab v7.x Mathematica v8.x OriginPro v8.x If you like, we can add following statistical software on the base list, which will be available on May 25th. Minitab v16.x SAS v9.x Maple v15.x In addition, please let us know if you have any other proprietary statistical software in mind. We can get those certified for the Base ATO. I apologize this may cause interruption in your project. Most proprietary software are safe for NIPRNet use but this one caused some concerns. However, this can be continued for standalone system. Please accept my humble apology. Thanks, Respectfully, Suman Goel 505-846-5357 AFRL/RVIO References ? 1. mailto:Paul.Martin at kirtland.af.mil ? 2. mailto:pamartin at alum.mit.edu
______________________________________________ R-help at r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Bert Gunter Genentech Nonclinical Biostatistics Internal Contact Info: Phone: 467-7374 Website: http://pharmadevelopment.roche.com/index/pdb/pdb-functional-groups/pdb-biostatistics/pdb-ncb-home.htm