Wei Gao, Blog Author
Senior Security Research Engineer
Blog

Ixia ATI Research Center Discovers Zero-Day IBM SPSS Statistics Vulnerability

May 17, 2016 by Wei Gao

Ixia’s ATI Research Center recently discovered a previously unknown buffer overflow vulnerability inside IBM SPSS Statistics. The vulnerability is due to the improper validation of argument of the Initialize function and could allow a remote attacker execute code in the context of a targeted user.

IBM SPSS Statistics Overview

IBM SPSS Statistics is an integrated family of products that addresses the entire analytical process, from planning to data collection to analysis, reporting, and deployment.

Advisory Summary

  • An ActiveX Control buffer overflow Vulnerability CVE-2015-8530 in IBM SPSS 20 through 24
  • IBM has issued a patch, available here
  • Ixia BreakingPoint PoC strike released in ATI-2016-10, available here
  • Ixia BPS Advisory, available here

Advisory Details

A buffer overflow vulnerability exists in IBM SPSS Statistics 20.0.0.2, 21.0.0.2, 22.0.0.2, 23.0.0.3, and 24.0.0.0. The vulnerability is due to the improper validation of argument of Initialize function. A remote attacker could exploit this vulnerability by enticing a vulnerable user to open a crafted web page. Successful exploitation could lead to code execution in the context of the target user.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.