Cisco Confirms Regex Flaw in IOS

gattaca writes "Cisco has announced a confirmation of an unpatched denial of service vulnerability in Cisco IOS. From the NetPro Forum post: 'I have just discovered a regular expression that crashes the router. I suspect the error is because of division by zero. Since I work for the Enterprise, I do not have direct access to TAC. Please somebody report this to Cisco. I have tested it on ranges of routers (2611, 2821, 2851, 7206) and IOSes (12.0-12.4). All routers crashed with some type of BUS ERROR. Command can be issued in user mode, therefore I think it can be considered as vulnerability to potentially cause DOS.'" Of course, the command has to be entered in user mode, so while potentially a vulnerability, chances are your local IOS-based router won't be DoSed via the bug any time soon.

does it could as denial of service

if your own people have to do it?

Re:does it could as denial of service

It only if works you authenticated are router to the.

Get off the bus

Nitpick: if it were a division by zero fault, would it really trigger a bus error, or more likely a ... division by zero error?

Then don't do that

FTA: "I have just discovered a regular expression that crashes the router. I suspect the error is because of division by zero."

Reminds me of:

Patient: "My arm hurts when I do this." <wiggles arm>
Doctor: "Then don't do that."

The solution is obvious: don't use that regex/divide by zero. Duhhhh. Problem solved. Thank you, come again.

A bigger IOS flaw discovered

A bigger vulnerability has been discovered just now as well...

r8#sh ver | in IOS
IOS (tm) C2600 Software (C2600-IO3-M), Version 12.2(15)T2, RELEASE SOFTWARE (fc2)
r8#reload
Proceed with reload? [confirm]

Seems like anyone with admin access can reload your router.

IOS (tm) 4500 Software (C4500-A3JK9S-M), Version 12.2(40a), RELEASE SOFTWARE (fc1)
frSwitch#reload
Proceed with reload? [confirm]

Confirmed on multiple routers as well! OMFG. On another note, anyone with local access to the router can power down the router causing a massive denial of service. Our admins here at GoodyTwoShoesNetworking.com are placing epoxy across all power buttons and cables to prevent this

The Enterprise

"Since I work for the Enterprise, I do not have direct access to TAC. "

Yes, Capt. Kirk can be very protective of the TAC.

RegEx's are incredibly dangerous

Writing code that can parse for any given syntax is, well, pretty much as difficult as writing a parsing front-end to a compiler.

I.e. it is not trivial and it is fraught with danger.

Any time you allow the user to submit arbitrary, un-screened, un-filtered data, you're just asking for trouble.

Of course, I guess you could argue that the job of a RegEx parser is precisely to do the screening & the filtering for you, but it is not a trivial business, and anyone who approaches the problem as though it were a mere triviality is a fool.

I.e. from the security point of view, the RegEx parser is a firewall [and, in all likelihood, is the only firewall], hence anyone writing a RegEx parser has to assume that the user submitting the input is a blackhat, not a whitehat.

PS: And the problem undergoes manifold [if not infinite] complexification when you're dealing with languages [or "environments"] like HTML, Javascript, and XML, which can re-write themselves on the fly.

Looking Glass

There are many routers out there running IOS that are used for Looking Glass purposes, so, yes, this is a problem I guess..

Old news (to everyone but Cisco)

This was widely publicized (amongst the loose communities of Cisco users, anyway) back around the time [secunia.com] the original post [nether.net] was made. Hey, that would have been... 18th August! :)

To be fair, there IS a story here, which is that Cisco only just acknowledged this officially.

Service Provider types (the operators of routers whose successful attack would actually affect anyone in the real world) have been well aware of this. But as others have pointed out, if you don't trust your admins, and you're not running proper logging and a proper audit trail of admin sessions already, you've got bigger problems than this.

A question

Can someone explain to me the difference between a $50 OpenWRT router and a $2k Cisco one? I have both, and the OpenWRT router is by leaps and bounds more featureful than the Cisco one (I guess that doesn't really make sense, because for $20k the Cisco can have the same features). Obviously the difference is reliability/performance, but what are the exact limits? How many people do I have to have in my network before getting a Cisco? How will I know that?

Re:A question

At the low end, there's not a great deal of difference beyond the value of the brand (which is non-zero: how many replies do job ads for "network engineer, min 4 years experience with Linux based routers" get vs. "cisco-based routers"? )

At pretty much anything above the branch office level, however, there's a huge difference. The two biggies are the backplane, and the ability to support proper linecards with offload routing processors. When you have a fat high-end device in your network core with 8 16-way OC3 linecards, there's just no way the standard PC architecture can keep up. The PC architecture jus isn't designed to shift massive amounts of IO, twiddle bits on a zillion and one packets per second, then route them out a different interface.

If your cable runs look like this [tmk.com] then you are not going to be using PC hardware, believe me.

Juniper are a good alternative to Cisco, though. There is now finally some competition.

not /0 error

In case anyone cares, the reboot (or "reload" as cisco likes to call it) is caused by a stack overflow resulting from an uncaught recursive processing of specific combinations of regex options. The overflow must be input from the command line interface, after providing a valid username and password to login to the device. If you are being DOS'd by someone that has a valid login and password on your hardware, you have bigger issues that need dealing with before investigating firmware bugs in your router.

Crash a router using CLI access?

If a rogue has CLI access to your router, you have bigger issues. Proper filtering, TACACS and Logging, Out of Band Management makes this a non-issue.

The risk is almost the same as "reload" or the even more fun undocumented "test crash" commands.

Granted I do not think this vulnerability requires "enable" access, which does increase the risk. However, nobody should have any CLI to a router that you do not trust.
   

I guess I'm a security researcher then

Since I did a "show buffers all" on a 4948 and it reloaded the box. General rule I follow is that if you have to have root access to do something, it's not a vulnerability. This is just a TAC case/bug fix.

User mode

If you can telnet to the router's IP address and it doesn't block you (i.e. if there's any kind of remote administration), you get user exec mode. Good job.

Re:Not a surprise

/0 does not mess up windows calc. They prepared for the error and it returns "Cannot divide by zero," then lets you continue on your merry way to further calculations.

Re:Not a surprise

Dividing by zero screws everything up. Even Windows Calc, one of the most advanced pieces of software on the planet, can't do it.

As it happens, I can divide by zero, but only when I try to figure out the inverse of the percentage of well-spent money from my tax dollars.

Or perhaps, the ratio of posts to informational-posts.

After all, Godwin needs revision - to paraphrase "A Beautiful Mind".