Network Security, Supply chain, Third-party code
Supply chain attacks likely with exploitation of novel R programing bug

(Adobe Stock Images)
Threat actors could leverage a high-severity vulnerability impacting the R programming language, tracked as CVE-2024-27322, to enable arbitrary code execution during the deserialization of packages using the RDS format and potentially facilitate supply chain attacks, The Hacker News reports."For an attacker to take over an R package, all they need to do is overwrite the rdx file with the maliciously crafted file, and when the package is loaded, it will automatically execute the code," said HiddenLayer researchers Kieran Evans and Kasimir Schulz in a report, which noted that accessing the symbol associated with the RCS file would allow the execution of an expression with arbitrary code.Such a security issue, which has already been addressed last week, has already prompted an advisory from the CERT Coordination Center noting that malicious RDS and RDX files enabling arbitrary code execution could be deployed through social engineering tactics. "Projects that use readRDS on untrusted files are also vulnerable to the attack," added CERT/CC.
An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds