Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > September 2007 > 3381 - Cisco Security Response: Reload on Processing a Command Including a Regular Expression

September 2007

3381 - Cisco Security Response: Reload on Processing a Command Including a Regular Expression

ID: 3381
Date: 12 September 2007 21:48
Title: 3381 - Cisco Security Response: Reload on Processing a Command Including a Regular Expression
Abstract: This is the Cisco Product Security Incident Response Team (PSIRT) response to a vulnerability that was reported on the Cisco NSP mailing list on August 17, 2007 regarding the crash and reload of devices running Cisco IOS after executing a command that uses, either directly or indirectly, a regular expression.
Vendors affected:Cisco
Source: Cisco
Reliability of source: Trusted
Source URL: http://www.cisco.com/warp/public/707/cisco-sr-20070912-regexp.shtml

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Response: Reload on Processing a Command Including a Regular Expression

http://www.cisco.com/warp/public/707/cisco-sr-20070912-regexp.shtml

Revision 1.0

For Public Release 2007 September 12 1600 UTC (GMT)

+--------------------------------------------------------------------

Cisco Response
==============

This is the Cisco Product Security Incident Response Team (PSIRT) response to a vulnerability that was reported on the Cisco NSP mailing list on August 17, 2007 regarding the crash and reload of devices running Cisco IOS after executing a command that uses, either directly or indirectly, a regular expression. The original post is available at the following link:

https://puck.nether.net/pipermail/cisco-nsp/2007-August/043002.html

The Cisco PSIRT posted a preliminary response on the same day and is available at the following link:

https://puck.nether.net/pipermail/cisco-nsp/2007-August/043010.html

Preliminary research pointed to a previously known issue that was documented as Cisco bug ID CSCsb08386, and entitled "PRP crash by show ip bgp regexp", which was already resolved. Further research indicates that the current issue is a different but related vulnerability.

There are no workarounds available for this vulnerability. Cisco will update this document in the event of any changes.

Additional Information
======================

Cisco IOS includes a regular expression engine that is used to process regular expressions that are provided as part of a command that is typed on the command line interface (CLI), as seen in the following example:

    Router#show ip bgp regexp [regexp]

or

When using a regular expression as part of a filter that is invoked after piping the output of a command into a filter, as seen in the following example:

    Router#show running-config | include [regexp]

or

- From the "--more--" prompt while paginating through the output of a previously executed command, by typing "/[regexp]" while on the "--more--" prompt.

Some regular expressions that make use of combined repetition operators
('*') and pattern recalls ("\1", "\2", etc.) into the same expression may result in a stack overflow on the Cisco IOS regular expression engine. A stack overflow will result in a reload of the device.

Note: To execute such commands including regular expressions, a user has to have access to the device CLI. This access implies that a user can log in into the device by providing valid user credentials.

Products Affected by This Vulnerability
+--------------------------------------

Note: The following list is subject to change. Cisco is continuing to review the potential impact of this vulnerability on its products; this list may be updated to include additional Cisco products that are affected by this vulnerability.

  * Cisco IOS releases 12.0, 12.1, 12.2, 12.3 and 12.4 - Cisco bug ID
    is CSCsk14633. There is no fixed software available at the time of
    this writing.

No other Cisco products are currently known to be affected by this vulnerability. Cisco IOS XR is not affected by this vulnerability.

Workarounds
+----------

There is no workaround for this vulnerability.

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Revision History
================

+------------------------------------------------------------+
| Revision 1.0 | 2007-September-12 | Initial public release  |
+------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.

+--------------------------------------------------------------------
All contents are Copyright   2006-2007 Cisco Systems, Inc. All rights
reserved.
+--------------------------------------------------------------------

Updated: Sep 12, 2007                              Document ID: 98766

+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG6BQU8NUAbBmDaxQRAmVaAJ0WpBL0Xlryq4RDQqUWNzJ2aYKPqACdGkHq
WPLOXa6jmnf7kXaJI0pfYQc=
=QUfs
-----END PGP SIGNATURE-----

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.

  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |