Wei Gao, Blog Author
Senior Security Research Engineer
Blog

What Should You Do Now that We Found the IBM SPSS Zero-Day?

May 31, 2016 by Wei Gao

Ixia’s ATI Research Center recently discovered a Zero-Day buffer overflow vulnerability inside IBM SPSS Statistics. This blog explores how organizations can ensure their network security will stop this vulnerability from allowing a remote attacker to execute code on their network. Likewise, security equipment manufacturers will need to ensure their gear detects and stops this vulnerability.

IBM SPSS STATISTICS—What is it?

IBM SPSS Statistics is an integrated family of products that addresses the entire analytical process, from planning and data collection to analysis, reporting, and deployment. It is used by some enterprises to get deeper, more meaningful insights from their data and perform predictive analysis to help make better decisions.

WHY SHOULD YOU CARE?

Any unpatched software in the client machine is vulnerable to arbitrary code execution. Possible modus operandi of an attacker can be to create a malicious HTML page that the attacker inserts in targeted email campaigns as hidden links and can click-bait a victim.

IBM-SPSS-0-day1

A spam email with hidden links to malicious HTML page.

A crafted HTML page can have several hidden options to perform remote code execution on a client’s machine. An attacker can use either the highly popular java scripts, VB script, C, C++, or some similar programming language embedded in the HTML page. Of course, a hacker that’s advance enough to exploit this vulnerability would also take the extra step to obfuscate the code to avoid detection by IPS/IDS’s. Obfuscation is a programming technique in which code is intentionally obscured to prevent reverse engineering.

IBM-SPSS-0-day2

A representative obfuscated Java script code hidden within HTML.

Any vulnerable client running the unpatched IBM SPSS can be compromised through this technique and allow access to the victim’s system. The hacker can then unleash malicious campaigns like ransomware, gaining privileged access, and executing lateral movements to further infect the organization.

IBM-SPSS-0-day3

In recent times, ransomware has become immensely popular amongst hackers.

If you are an IBM SPSS customer, refer to our Advisory blog to see if you are running the vulnerable version and if you are, ensure you download and install the IBM SPSS patch.

WHAT CAN BE DONE IF YOU ARE A SECURITY VENDOR?

As a vendor, you will want to verify that your security device is able to detect/block the vulnerabilities. Ixia’s BreakingPoint security test solution makes validating simple. In case you aren’t familiar with BreakingPoint, refer this video or the complete tutorial videos. BreakingPoint users should:

  1. Download Ixia’s ATI update that has the concerned strike here
  2. Search for “IBM SPSS” in the strike center and create a customized strike list
    IBM-SPSS-0-day4
  3. Run a test

For increasing the complexity, you can also use evasion techniques on top of the strike.

With the hardware packet capture ability of BreakingPoint, you can also understand the attack signatures.

IBM-SPSS-0-day5

BreakingPoint capture of one of the strike flows as seen after obfuscation.

For Ixia’s IBM SPSS Statistics advisory summary and details, see this blog.

LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.