Network Security, Supply chain, Third-party code

Supply chain attacks likely with exploitation of novel R programing bug

Source PC website developer. Real software development code. JavaScript code in text editor. Computer interface. Abstract technology background. Java Software engineer concept.

Threat actors could leverage a high-severity vulnerability impacting the R programming language, tracked as CVE-2024-27322, to enable arbitrary code execution during the deserialization of packages using the RDS format and potentially facilitate supply chain attacks, The Hacker News reports.

"For an attacker to take over an R package, all they need to do is overwrite the rdx file with the maliciously crafted file, and when the package is loaded, it will automatically execute the code," said HiddenLayer researchers Kieran Evans and Kasimir Schulz in a report, which noted that accessing the symbol associated with the RCS file would allow the execution of an expression with arbitrary code.

Such a security issue, which has already been addressed last week, has already prompted an advisory from the CERT Coordination Center noting that malicious RDS and RDX files enabling arbitrary code execution could be deployed through social engineering tactics.

"Projects that use readRDS on untrusted files are also vulnerable to the attack," added CERT/CC.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.