Cisco Confirms Regex Flaw in IOS

gattaca writes "Cisco has announced a confirmation of an unpatched denial of service vulnerability in Cisco IOS. From the NetPro Forum post: 'I have just discovered a regular expression that crashes the router. I suspect the error is because of division by zero. Since I work for the Enterprise, I do not have direct access to TAC. Please somebody report this to Cisco. I have tested it on ranges of routers (2611, 2821, 2851, 7206) and IOSes (12.0-12.4). All routers crashed with some type of BUS ERROR. Command can be issued in user mode, therefore I think it can be considered as vulnerability to potentially cause DOS.'" Of course, the command has to be entered in user mode, so while potentially a vulnerability, chances are your local IOS-based router won't be DoSed via the bug any time soon.

does it could as denial of service

[Ferzerp]

if your own people have to do it?

Re:does it could as denial of service

[Xerxes_au]

Fair enough that you mention that it requires a valid login to trigger this bug. Once logged in there's plenty of nasty things you can do to a Cisco router (or any other) without needing to trigger random bugs.

I've worked in the area for a number of years now supporting both Cisco and Linux based network infrastructure, and I can say with some confidence that on a large scale, bugs in various programs which can lead to total loss of service are hardly rare. DoS bugs exist, and while many will just randomly occur over time, some are able to be triggered at will.

This is why people use strong account policies, passwords, and firewalls to control access to any network device.

It might be mentioning that Cisco TAC is very good, and can usually help resolve such issues expediently, given that you're willing to pay for such services. ...If you don't have a Cisco contract to obtain support and IOS updates, and depending on what you're doing, maybe you're better off looking at obtaining such support for free by going with other mainstream software (ie GNU/Linux) ;-)

Looking Glass

There are many routers out there running IOS that are used for Looking Glass purposes, so, yes, this is a problem I guess..

Old news (to everyone but Cisco)

[OriginalArlen]

This was widely publicized (amongst the loose communities of Cisco users, anyway) back around the time the original post was made. Hey, that would have been... 18th August! :)

To be fair, there IS a story here, which is that Cisco only just acknowledged this officially.

Service Provider types (the operators of routers whose successful attack would actually affect anyone in the real world) have been well aware of this. But as others have pointed out, if you don't trust your admins, and you're not running proper logging and a proper audit trail of admin sessions already, you've got bigger problems than this.

Re:A question

Quite a bit. If you look at a standard linksys router, it is a simple Broadcom (or Marvell) CPU+Network processor. Most companies use one of these chips in their consumer routers . They are cheap, and give the features most home users want. (Routing packets, simple firewall, wireless etc.) However, they are not as fast, nor are they flexible as this would add to the cost. (Actually, many other "enterprise" routers/switches use the same $5.00 chips) . Once you need a new feature.. you buy a new router.. Not a big deal for a $50.00 router).
In my experience the 2800 hardware is rock solid. I have managed over 200 hundred of these in the past and only had 1 failure. Caused by water.
So, other than having the huge support behind it, what makes a simple Cisco 2800 router ? They are specially designed and include specialized TCAM memory, encryption coprocessors, DSP's, and TDM switching. They can do IPS, Encryption, Wireless, Multi-protocol routing, Voice and video. They offer support for IPv6, BGP, Multicast, and others. They are modular and you have the capability to add almost any possible type of WAN port, (T1, DSL, DS3, EVDO, Edge), or all sorts of modules from a WAN Acceleration module to PoE enabled Switching, all the way to a VoiceMail system...

As for your network, I can guarantee that the OpenWRT is nowhere as feature rich as a Cisco router. You probably just never turned it on. I love using OpenWRT at home, but at the office, not a chance. Honestly, at the office, if you are just providing 5 people acccess to the internet over cable or DSL, and have no need for anything else other than moving packets, then OpenWRT is probably fine. If you are looking to provide features such as IP Voice, Advanced QoS, Network Admission Control, WAN Acceleration, Multi-point VPN tunnels, SSL VPN, or need a replacement in Kazakhstan within 4 hours, you probably need to go with the Cisco.

Re:A question

[Repossessed]

The biggest thing I see between the expensive Cisco stuff and the cheap WRT stuff (once you flash the firmware, and thank god for the GPL, cause the original stuff sucked), is that the Cisco kit will support large gigabit networks, (And you can get older Cisco branded stuff at Linksys prices that doesn't if you shop the right channels).

Assuming you only need 100Mbit though (which is fine for lower tiered subnets), Well... there are three systems hooked up to my WRT54GL, and it's running at about 10% of capacity. I could probably squeeze a bit more out of it by turning the wireless of, but still wouldn't want to put more than 25 or so machines on it. And if those machines do anything fancy with the network, I might want to drop that even further.s-

Re:A question

[OriginalArlen]

At the low end, there's not a great deal of difference beyond the value of the brand (which is non-zero: how many replies do job ads for "network engineer, min 4 years experience with Linux based routers" get vs. "cisco-based routers"? )

At pretty much anything above the branch office level, however, there's a huge difference. The two biggies are the backplane, and the ability to support proper linecards with offload routing processors. When you have a fat high-end device in your network core with 8 16-way OC3 linecards, there's just no way the standard PC architecture can keep up. The PC architecture jus isn't designed to shift massive amounts of IO, twiddle bits on a zillion and one packets per second, then route them out a different interface.

If your cable runs look like this then you are not going to be using PC hardware, believe me.

Juniper are a good alternative to Cisco, though. There is now finally some competition.

I guess I'm a security researcher then

[twigles]

Since I did a "show buffers all" on a 4948 and it reloaded the box. General rule I follow is that if you have to have root access to do something, it's not a vulnerability. This is just a TAC case/bug fix.