Threat actors could leverage a high-severity vulnerability impacting the R programming language, tracked as CVE-2024-27322, to enable arbitrary code execution during the deserialization of packages using the RDS format and potentially facilitate supply chain attacks, The Hacker News reports.
"For an attacker to take over an R package, all they need to do is overwrite the rdx file with the maliciously crafted file, and when the package is loaded, it will automatically execute the code," said HiddenLayer researchers Kieran Evans and Kasimir Schulz in a report, which noted that accessing the symbol associated with the RCS file would allow the execution of an expression with arbitrary code.
Such a security issue, which has already been addressed last week, has already prompted an advisory from the CERT Coordination Center noting that malicious RDS and RDX files enabling arbitrary code execution could be deployed through social engineering tactics.
"Projects that use readRDS on untrusted files are also vulnerable to the attack," added CERT/CC.
