April 29, 2024 at 10:00AM
A security vulnerability, CVE-2024-27322, has been discovered in the R programming language, enabling threat actors to execute malicious code via RDS files. This flaw, fixed in version 4.4.0, could lead to supply chain attacks through compromised R packages. AI security firm HiddenLayer reported the issue, emphasizing the importance of updating to the latest version.
Based on the meeting notes, there is a critical security vulnerability discovered in the R programming language, with the identifier CVE-2024-27322, related to the exploitation of RDS (R Data Serialization) files. This vulnerability allows for arbitrary code execution when deserializing untrusted data, potentially exposing users to supply chain attacks through specially crafted R packages. The flaw was addressed in version 4.4.0 released on April 24, 2024, following responsible disclosure.
The potential impact includes the exploitation of R packages as part of a supply chain attack via package repositories, which could lead to automatic code execution when a package is decompressed and deserialized.
To mitigate this risk, it is crucial to ensure that all systems are promptly updated to version 4.4.0 or later. Additionally, users should be informed about the security patch and advised to avoid loading or working with untrusted RDS files until the systems are updated.
It is important to monitor the distribution and usage of R packages within the organization and to follow up on potential exposure to this security vulnerability. Regular communication and training about best practices in package management and security awareness are advisable.