Cisco Confirms Regex Flaw in IOS

Posted by CowboyNeal on Saturday September 15, 2007 @04:01AM from the does-not-compute dept.

gattaca writes "Cisco has announced a confirmation of an unpatched denial of service vulnerability in Cisco IOS. From the NetPro Forum post: 'I have just discovered a regular expression that crashes the router. I suspect the error is because of division by zero. Since I work for the Enterprise, I do not have direct access to TAC. Please somebody report this to Cisco. I have tested it on ranges of routers (2611, 2821, 2851, 7206) and IOSes (12.0-12.4). All routers crashed with some type of BUS ERROR. Command can be issued in user mode, therefore I think it can be considered as vulnerability to potentially cause DOS.'" Of course, the command has to be entered in user mode, so while potentially a vulnerability, chances are your local IOS-based router won't be DoSed via the bug any time soon.

1 of 61 comments (clear)

Min score:

Reason:

Sort:

Re:The Enterprise by Anonymous Coward · 2007-09-15 05:05 · Score: 3, Interesting

I always wonder why a company like Cisco, of which you would expect that it puts quality at a top priority, does not accept bug reports from owners of their devices who have not paid extra for a support contract.
Even when they don't want to guarantee response times or resolution times, at the very least they could register the problems their customers have discovered.