In association with heise online

17 August 2007, 17:03

DoS vulnerability in Cisco IOS compromises Internet routers [Update]

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A denial of service vulnerability in Cisco's IOS network operating system can be exploited to reboot ISP routers. The problem arises when processing the "show ip bgp regexp" command if certain regular expressions are used as arguments. As a result, the router reboots and has to rebuild its BGP routing table. If this occurs several times in succession, resulting in a route becoming unavailable repeatedly, the router may be ignored by other providers for a certain amount of time as a result. This would cause a provider's network to become unavailable.

Usually, every ISP provides public route servers or route monitors which are accessible to anyone via Telnet and can be used to execute the command in question. Route servers are used for retrieving the routing information between ISPs. Apart from Telnet access, some providers also allow access via the Looking Glass web interface, which is basically a Telnet wrapper and can also be exploited to transfer crafted parameters to a router.

Although this vulnerability is very easily exploited, its scope is difficult to assess. Large ISPs use dedicated route server systems which only return information but are not used for routing. Things may be different for smaller providers who process everything on the same system in order to be cost-efficient. In addition, a Looking Glass server can access a large ISP's core router, which creates an indirect vulnerability.

According to reports, no updated IOS version has so far become available and Cisco has not yet released any information about this problem through official channels. As a workaround solution, some ISPs have started to filter out specific regular expressions on the Looking Glass servers. With Telnet access it is allegedly sufficient to disable the "show ip bgp regexp" command.

Administrators should implement the workaround solutions as soon as possible since detailed information about this vulnerability is already being circulated on various IRC channels.

Cisco informed heise Security that they know about this problem and Cisco PSIRT (Product Security Incident Response Team) is currently researching the issue. After first checks it looks similar to issue CSCsb08386, that is known since 2005. As a temporary workaround Cisco suggests to enable the "Deterministic Regular Expression Engine". We will keep you updated about the upcoming official response from Cisco.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit