Mia Davis
May 7, 2024

Threat Report 07.05.24

Vulnerability in R programming language leaves users vulnerable to supply chain attacks

Security researchers have discovered a flaw in the R programming language, used for statistical computing and data visualisation, that could leave users vulnerable to supply chain attacks when exposed to specially crafted R packages.

The vulnerability, tracked as CVE-2024-27322, has a CVSS score of 8.8 and allows for arbitrary code execution by deserializing untrusted data. An attacker could exploit this vulnerability to perform supply chain attacks via package repositories, which when loaded by a user could automatically execute malicious code.

The vulnerability has now been patched with the release of version 4.4.0, with additional protections being worked on and released in the Q2 product release.

Breach in Dropbox’s digital signature service

Dropbox has disclosed that its digital signature service, known as Dropbox Sign (formerly HelloSign), has suffered a breach due to currently unknown threat actors. The attacker was said to have gained access to a Dropbox Sign automated system configuration tool, allowing them to compromise a back-end service account and gain access to the customer database.

Threat actors have been able to access emails, usernames, and general account settings associated with all users. For some users, they also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. Any third-parties without an account who have received or signed documents through Dropbox Sign are also affected, with their names and email addresses being exposed. There is currently no evidence to suggest that threat actors were able to access the contents of users' accounts, such as agreements or templates, or payment information. This attack is limited to Dropbox Sign infrastructure.

Dropbox is currently in the process of sending out step-by-step guidance to affected users, and has reset users' passwords, logged users out of any devices they had connected to Dropbox Sign, and is working to coordinate the rotation of all API keys and OAuth tokens. They are working with law enforcement and regulatory authorities on the matter.

CISA warns of exploitation of GitLab vulnerability

The CISA has added a GitLab vulnerability to its catalogue of known exploited vulnerabilities due to its ongoing active exploitation. No additional information on how the vulnerability is being exploited in the real world has yet been provided.

The vulnerability, tracked as CVE-2023-7028, has a maximum CVSS score of 10.0 and could allow a complete account takeover by sending password reset emails to an unverified email address. This could allow an attacker to steal sensitive information, credentials, and commit supply chain attacks by poisoning source code repositories with malicious code.

The vulnerability has been fixed in GitLab versions 16.5.6, 16.6.4, and 16.7.2, and the fix has also been backported to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5. To mitigate the issue, it is recommended to update to one of these versions or later where the vulnerability is fixed

Read similar blogs