Cisco Confirms Regex Flaw in IOS

gattaca writes "Cisco has announced a confirmation of an unpatched denial of service vulnerability in Cisco IOS. From the NetPro Forum post: 'I have just discovered a regular expression that crashes the router. I suspect the error is because of division by zero. Since I work for the Enterprise, I do not have direct access to TAC. Please somebody report this to Cisco. I have tested it on ranges of routers (2611, 2821, 2851, 7206) and IOSes (12.0-12.4). All routers crashed with some type of BUS ERROR. Command can be issued in user mode, therefore I think it can be considered as vulnerability to potentially cause DOS.'" Of course, the command has to be entered in user mode, so while potentially a vulnerability, chances are your local IOS-based router won't be DoSed via the bug any time soon.

RegEx's are incredibly dangerous

[mosel-saar-ruwer]

Writing code that can parse for any given syntax is, well, pretty much as difficult as writing a parsing front-end to a compiler.

I.e. it is not trivial and it is fraught with danger.

Any time you allow the user to submit arbitrary, un-screened, un-filtered data, you're just asking for trouble.

Of course, I guess you could argue that the job of a RegEx parser is precisely to do the screening & the filtering for you, but it is not a trivial business, and anyone who approaches the problem as though it were a mere triviality is a fool.

I.e. from the security point of view, the RegEx parser is a firewall [and, in all likelihood, is the only firewall], hence anyone writing a RegEx parser has to assume that the user submitting the input is a blackhat, not a whitehat.

PS: And the problem undergoes manifold [if not infinite] complexification when you're dealing with languages [or "environments"] like HTML, Javascript, and XML, which can re-write themselves on the fly.

Re:A question

[bagboy]

Buying Cisco equipment (typically - and through proper purchase channels) gives you access to TAC (Technical Assistance Center), worldwide support 24x7 for network emergencies and problems, as well as extensive troubleshooting support. When you buy Cisco these days, that is what you are mostly paying for. Try getting that level of assistance from Netgear, Linksys (ironically owned by Cisco), DLink, etc... You really can't - as they do not put that level of resource behind their products.

Crash a router using CLI access?

If a rogue has CLI access to your router, you have bigger issues. Proper filtering, TACACS and Logging, Out of Band Management makes this a non-issue.

The risk is almost the same as "reload" or the even more fun undocumented "test crash" commands.

Granted I do not think this vulnerability requires "enable" access, which does increase the risk. However, nobody should have any CLI to a router that you do not trust.

LGs aren't a problem but public route servers are

[macdaddy]

I run a public route server with a web frontend (ie, a looking glass). I have yet to see a LG that allows the use of regular expressions. Some CLI-based route servers allow it but this is easily controlled when you explicitly state what commands a non-privileged user can execute with the 'privilege exec' global config mode command.

That said, I'm on AT&T's route server right now and I can clearly see that it's been abused by the regex bug:

route-server> sh ver
Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-JS-M), Version 12.2(18)S12, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Thu 25-May-06 12:32 by tinhuang
Image text-base: 0x60008FE0, data-base: 0x61A8A000

ROM: System Bootstrap, Version 12.2(4r)B2, RELEASE SOFTWARE (fc2)
BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.2(18)S12, RELEASE SOFTWARE (fc1)

route-server uptime is 59 minutes
System returned to ROM by bus error at PC 0x6068242C, address 0x60010 at 18:21:26 UTC Sat Sep 15 2007
System restarted at 18:22:42 UTC Sat Sep 15 2007
System image file is "disk0:c7200-js-mz.122-18.S12.bin"

cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory.
Processor board ID 29814540
R7000 CPU at 350Mhz, Implementation 39, Rev 3.3, 256KB L2 Cache
6 slot VXR midplane, Version 2.7

Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.

PCI bus mb0_mb1 has 400 bandwidth points
PCI bus mb2 has 0 bandwidth points

2 FastEthernet/IEEE 802.3 interface(s)
125K bytes of non-volatile configuration memory.

47040K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102

Note the uptime and line noting the reason for the last reboot.

So, in short, looking glasses aren't susceptible to this bug, at least none of the dozens LG projects I've seen are susceptible to this). However publicly accessible route servers that are IOS-based and not run on Juniper routers or Quagga may very well be susceptible if the admin hasn't secured the box.