BGP Vulnerability - all IOSes affected

Unanswered Question
Aug 14th, 2007

I have just discovered a regular expression that crashes the router. I suspect the error is because of division by zero. Since I work for the Enterprise, I do not have direct access to TAC. Please somebody report this to Cisco. I have tested it on ranges of routers (2611, 2821, 2851, 7206) and IOSes (12.0-12.4). All routers crashed with some type of BUS ERROR.

Command can be issued in user mode, therefore I think it can be considered as vulnerability to potentially cause DOS.

I do not know a better way to report this, so I am posting it here.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.3 (6 ratings)
Pavel Bykov Tue, 08/14/2007 - 09:24

Right, forgot the command.

The command is:

show ip bgp regexp (.*)(\1)+

Basically, the logic is to create "one or more repetition of zero or more occurences"

Paolo Bevilacqua Tue, 08/14/2007 - 11:48

Slidersv, it's a good finding. However I don't think they will consider that a vulnerability and even to be opened as a bug will require a customer with a contract complaining.

Pavel Bykov Thu, 08/16/2007 - 10:34

Seems I'll have to persuade our integrator to open a TAC case then...

royalblues Thu, 08/16/2007 - 11:44

Thats a good finding.

I will try it on one of my routers and report it TAC as well


Pavel Bykov Thu, 08/16/2007 - 12:31

Oops. Sorry. Didn't check the command before posting. Forgot the underline:

show ip bgp regexp (.*)(_\1)+

Also, i found that some platforms have different interpretations of ".*" in conjuncture with repetition of "\1".

In case somewhere it won't work (although so far it worked everywhere i tried), following surely will:

show ip bgp regexp ([0-9]*)(_\1)+

mohammedmahmoud Thu, 08/16/2007 - 21:49


I've tried both commands on one of my 7206VXR (NPE300) in the lab (having full internet routing table) and both commands did no harm, the router is running 12.2(25)S5, maybe Cisco got this fixed, you can further try it on one of the internet route servers running the same code (try this one - TISCALI).


Mohammed Mahmoud.

Pavel Bykov Thu, 08/16/2007 - 23:23

You're right, it works on the said route-server.

I guess not all versions are affected, and i just had a string of luck with IOS/platform combinations.

This route server crashes for example:

Do you know of any other route servers?

I'll add all platforms and IOSes I have tried it on to my tac request.

Here is a quick list of LAB at hand, all of which crashed by the command just now:


cisco 2610 (MPC860) processor (revision 0x202)



Cisco 3725 (R7000) processor


AT&T's route server is down for now, so i can't post it's HW/SW combination. I know my LAB's 7206, 2851, 2821, and 3745 all crashed.

I'll just have to write add of the HW/SW combinations to TAC

mohammedmahmoud Thu, 08/16/2007 - 23:49

Hi Pavlo,

Both crashed my lab 2821 router running c2800nm-spservicesk9-mz.124-3g.bin :)


Mohammed Mahmoud.

mlasarko Fri, 08/17/2007 - 06:45

Not an issue on:

2621XM w/ c2600-adventerprisek9-mz.124-10a

3845 w/ c3845-adventerprisek9-mz.124-10a

Both accept the posted commands without a problem.


dciccaro Fri, 08/17/2007 - 06:46

Hi there. This is Dario Ciccarone from the Cisco PSIRT (Product Security Incident Response Team).

We've been notified of this issue. It looks similar to CSCsb08386 - customers experiencing the issue are suggested to open a TAC SR and provide the TAC CSE with any information available that would help troubleshoot the issue - including show tech, crashdump (if available), traceback, etc.

Any customer experiencing the issue who would be interested in a PSIRT escalation for evaluation should notify the TAC CSE of such - asking the CSE to contact PSIRT with the TAC SR number for further evaluation.

In addition to that, the Cisco PSIRT Security Vulnerability Policy is available at - for any customer, with our without a service contract, which might be interested in contacting us.



Pavel Bykov Fri, 08/17/2007 - 07:56

Thank you Dario. I didn't know about PSIRT at all - not much into security (More of a BGP/QoS/VAservices). And thanks to all for input and eventually reporting the problem. I'd like to see this issue fixed.

For info, here are some other HW/SW combinations that crash:

1. cisco 7206VXR (NPE-G1) processor (revision B) with 491520K/32768K bytes of memory.

(C7200-JK9O3S-M), Version 12.3(21)

2. cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory.

(C7200-JS-M), Version 12.2(18)S12

3. Cisco 2851 (revision 53.51) with 249856K/12288K bytes of memory.

(C2800NM-ENTSERVICESK9-M), Version 12.3(14)T7

I'm tempted to test it on production 7206 with 12.3 T-train since we are dual homed, but I am too responsible for that... Besides, it's NPE-G1, which I know crashes, and 2851 with T-train crashes as well.

jmla8900 Sat, 09/15/2007 - 16:49

I tried it on some of my lab stuff running 12.3 and it was affected, but my old 12.2 enterprise stuff ran it just fine without blowing up. Odd that it affects the newer stuff and not the old.

carl.gruber Mon, 09/17/2007 - 03:48

3550 running 12.2(37)SE died when running the reg exp as 'show running-config | include'.


This Discussion