I have just discovered a regular expression that crashes the router. I suspect the error is because of division by zero. Since I work for the Enterprise, I do not have direct access to TAC. Please somebody report this to Cisco. I have tested it on ranges of routers (2611, 2821, 2851, 7206) and IOSes (12.0-12.4). All routers crashed with some type of BUS ERROR.
Command can be issued in user mode, therefore I think it can be considered as vulnerability to potentially cause DOS.
I do not know a better way to report this, so I am posting it here.
Right, forgot the command.
The command is:
show ip bgp regexp (.*)(\1)+
Basically, the logic is to create "one or more repetition of zero or more occurences"
Slidersv, it's a good finding. However I don't think they will consider that a vulnerability and even to be opened as a bug will require a customer with a contract complaining.
Oops. Sorry. Didn't check the command before posting. Forgot the underline:
show ip bgp regexp (.*)(_\1)+
Also, i found that some platforms have different interpretations of ".*" in conjuncture with repetition of "\1".
In case somewhere it won't work (although so far it worked everywhere i tried), following surely will:
show ip bgp regexp ([0-9]*)(_\1)+
I've tried both commands on one of my 7206VXR (NPE300) in the lab (having full internet routing table) and both commands did no harm, the router is running 12.2(25)S5, maybe Cisco got this fixed, you can further try it on one of the internet route servers running the same code (try this one 220.127.116.11 - TISCALI).
You're right, it works on the said route-server.
I guess not all versions are affected, and i just had a string of luck with IOS/platform combinations.
This route server crashes for example:
Do you know of any other route servers?
I'll add all platforms and IOSes I have tried it on to my tac request.
Here is a quick list of LAB at hand, all of which crashed by the command just now:
cisco 2610 (MPC860) processor (revision 0x202)
Cisco 3725 (R7000) processor
AT&T's route server is down for now, so i can't post it's HW/SW combination. I know my LAB's 7206, 2851, 2821, and 3745 all crashed.
I'll just have to write add of the HW/SW combinations to TAC
Not an issue on:
2621XM w/ c2600-adventerprisek9-mz.124-10a
3845 w/ c3845-adventerprisek9-mz.124-10a
Both accept the posted commands without a problem.
Hi there. This is Dario Ciccarone from the Cisco PSIRT (Product Security Incident Response Team).
We've been notified of this issue. It looks similar to CSCsb08386 - customers experiencing the issue are suggested to open a TAC SR and provide the TAC CSE with any information available that would help troubleshoot the issue - including show tech, crashdump (if available), traceback, etc.
Any customer experiencing the issue who would be interested in a PSIRT escalation for evaluation should notify the TAC CSE of such - asking the CSE to contact PSIRT with the TAC SR number for further evaluation.
In addition to that, the Cisco PSIRT Security Vulnerability Policy is available at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html - for any customer, with our without a service contract, which might be interested in contacting us.
Thank you Dario. I didn't know about PSIRT at all - not much into security (More of a BGP/QoS/VAservices). And thanks to all for input and eventually reporting the problem. I'd like to see this issue fixed.
For info, here are some other HW/SW combinations that crash:
1. cisco 7206VXR (NPE-G1) processor (revision B) with 491520K/32768K bytes of memory.
(C7200-JK9O3S-M), Version 12.3(21)
2. cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory.
(C7200-JS-M), Version 12.2(18)S12
3. Cisco 2851 (revision 53.51) with 249856K/12288K bytes of memory.
(C2800NM-ENTSERVICESK9-M), Version 12.3(14)T7
I'm tempted to test it on production 7206 with 12.3 T-train since we are dual homed, but I am too responsible for that... Besides, it's NPE-G1, which I know crashes, and 2851 with T-train crashes as well.
I tried it on some of my lab stuff running 12.3 and it was affected, but my old 12.2 enterprise stuff ran it just fine without blowing up. Odd that it affects the newer stuff and not the old.