.webp)
A vulnerability present in the R programming language on versions 1.4.0 through 4.4.0., categorized as CVE-2024-27322 (CVSSv3: 8.8), allows a remote attacker to send a maliciously crafted RDS-formatted file or R package to run arbitrary code on a user’s system. This vulnerability requires the user to interact with the RDS formatted file or R package. The research for this vulnerability comes from HiddenLayer.
Hidden Layer provides an in-depth assessment of the scope and impact of this vulnerability. According to their research, one of the functions that can be used to exploit this vulnerability appeared in GitHub repositories over 135,000 times. They believe it can be used in a supply chain attack because projects with vulnerable code are used from major software vendors such as R Studio, Facebook, Google, Microsoft, AWS, etc.
Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely with user interaction using an RDS file or an R package.
If you or your organization uses the R programming language in any capacity, performing an update to R v4.4.0 is paramount. Given the extensive research done and demos of exploitation by Hidden Layer, it is only a matter of time before a threat actor utilizes this vulnerability maliciously.
Update R to version 4.4.0 or later for vulnerability remediation.
Exploitation of this vulnerability could affect a critical portion of the business. The R programming language is typically used with a wide variety of applications and services. If exploited, it could result in remote code execution with user interaction, which could greatly affect the business’ bottom line because the users of R often work with financial data. When this is the case, monetary and data losses are sure to follow an exploitation.
Patch: Applying the patch to R to update to v 4.4.0 is the best method to mitigate this vulnerability.
Protect and train users: Due to this vulnerability requiring user interaction, it is important to monitor users and ensure malicious RDS formatted files or R packages reach these users. An advisory to users within your organization about this vulnerability is also recommended.
https://jennhuck.github.io/workshops/install_update_R.html#Installing_RStudio
https://hiddenlayer.com/research/r-bitrary-code-execution/
https://nvd.nist.gov/vuln/detail/CVE-2024-27322
On this episode of the CyberWatch podcast, there are updates to software across the application and OS spectrum. New malicious campaigns are threatening victims of all sizes, and researchers have performed dissections on malware to give defenders new clues about just what it is they're fighting. All this today, in CyberWatch.
As we conclude our 'ransomware readiness week' of this Cybersecurity Awareness Month, it's time to take a critical look at your organization's defenses. Ransomware attacks are becoming more sophisticated, and no business is immune. In our latest article, we explore essential strategies to bolster your ransomware preparedness. Don't miss this vital information to help protect your business from emerging threats.
Ethical hacking has become an essential response to an IT industry kept on its toes by a spectrum of bad actors with malicious intent. This article introduces two prominent methodologies that help the good guys fight back: penetration testing (pen-testing) and red teaming. Learn more here.
Host Geoff Hancock was joined by guests Mike Rush, Director of Threat Intelligence at Access Point Consulting; and Evie Manning, Senior Director of Threat Hunting and Intelligence at Access Point Consulting. Together, they talked about cyber threat intelligence and the applications that can make it work for small and medium-sized businesses.
