cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1219
Views
20
Helpful
16
Replies

BGP Vulnerability - all IOSes affected

Pavel Bykov
Level 5
Level 5

I have just discovered a regular expression that crashes the router. I suspect the error is because of division by zero. Since I work for the Enterprise, I do not have direct access to TAC. Please somebody report this to Cisco. I have tested it on ranges of routers (2611, 2821, 2851, 7206) and IOSes (12.0-12.4). All routers crashed with some type of BUS ERROR.

Command can be issued in user mode, therefore I think it can be considered as vulnerability to potentially cause DOS.

I do not know a better way to report this, so I am posting it here.

16 Replies 16

Pavel Bykov
Level 5
Level 5

Right, forgot the command.

The command is:

show ip bgp regexp (.*)(\1)+

Basically, the logic is to create "one or more repetition of zero or more occurences"

Slidersv, it's a good finding. However I don't think they will consider that a vulnerability and even to be opened as a bug will require a customer with a contract complaining.

Seems I'll have to persuade our integrator to open a TAC case then...

Thats a good finding.

I will try it on one of my routers and report it TAC as well

Narayan

Oops. Sorry. Didn't check the command before posting. Forgot the underline:

show ip bgp regexp (.*)(_\1)+

Also, i found that some platforms have different interpretations of ".*" in conjuncture with repetition of "\1".

In case somewhere it won't work (although so far it worked everywhere i tried), following surely will:

show ip bgp regexp ([0-9]*)(_\1)+

Hi,

I've tried both commands on one of my 7206VXR (NPE300) in the lab (having full internet routing table) and both commands did no harm, the router is running 12.2(25)S5, maybe Cisco got this fixed, you can further try it on one of the internet route servers running the same code (try this one 213.200.64.94 - TISCALI).

HTH,

Mohammed Mahmoud.

You're right, it works on the said route-server.

I guess not all versions are affected, and i just had a string of luck with IOS/platform combinations.

This route server crashes for example:

route-server.ip.att.net

Do you know of any other route servers?

I'll add all platforms and IOSes I have tried it on to my tac request.

Here is a quick list of LAB at hand, all of which crashed by the command just now:

1.

cisco 2610 (MPC860) processor (revision 0x202)

c2600-j1s3-mz.123-20.bin

2.

Cisco 3725 (R7000) processor

c3725-entservicesk9-mz.124-1.bin

AT&T's route server is down for now, so i can't post it's HW/SW combination. I know my LAB's 7206, 2851, 2821, and 3745 all crashed.

I'll just have to write add of the HW/SW combinations to TAC

Hi Pavlo,

Both crashed my lab 2821 router running c2800nm-spservicesk9-mz.124-3g.bin :)

HTH,

Mohammed Mahmoud.

My 3825 crashed as well :-)

12410 12.0.32S7 didn't crash

mlasarko
Level 1
Level 1

Not an issue on:

2621XM w/ c2600-adventerprisek9-mz.124-10a

3845 w/ c3845-adventerprisek9-mz.124-10a

Both accept the posted commands without a problem.

~M

dciccaro
Cisco Employee
Cisco Employee

Hi there. This is Dario Ciccarone from the Cisco PSIRT (Product Security Incident Response Team).

We've been notified of this issue. It looks similar to CSCsb08386 - customers experiencing the issue are suggested to open a TAC SR and provide the TAC CSE with any information available that would help troubleshoot the issue - including show tech, crashdump (if available), traceback, etc.

Any customer experiencing the issue who would be interested in a PSIRT escalation for evaluation should notify the TAC CSE of such - asking the CSE to contact PSIRT with the TAC SR number for further evaluation.

In addition to that, the Cisco PSIRT Security Vulnerability Policy is available at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html - for any customer, with our without a service contract, which might be interested in contacting us.

Thanks,

Dario

Thank you Dario. I didn't know about PSIRT at all - not much into security (More of a BGP/QoS/VAservices). And thanks to all for input and eventually reporting the problem. I'd like to see this issue fixed.

For info, here are some other HW/SW combinations that crash:

1. cisco 7206VXR (NPE-G1) processor (revision B) with 491520K/32768K bytes of memory.

(C7200-JK9O3S-M), Version 12.3(21)

2. cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory.

(C7200-JS-M), Version 12.2(18)S12

3. Cisco 2851 (revision 53.51) with 249856K/12288K bytes of memory.

(C2800NM-ENTSERVICESK9-M), Version 12.3(14)T7

I'm tempted to test it on production 7206 with 12.3 T-train since we are dual homed, but I am too responsible for that... Besides, it's NPE-G1, which I know crashes, and 2851 with T-train crashes as well.

I tested with 12.2.23f as well, but could not simulate.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco