Friday, August 17, 2007

DoS Vulnerability in Cisco IOS Compromises the Routers of ISPs

Via heise Security News.

A denial of service vulnerability in Cisco's IOS network operating system can be exploited to reboot ISP routers. The problem arises when processing the "show ip bgp regexp" command if certain regular expressions are used as arguments. As a result, the router reboots and has to rebuild its BGP routing table. If this occurs several times in succession, resulting in a route becoming unavailable repeatedly, the router may be ignored by other providers for a certain amount of time as a result. This would cause a provider's network to become unavailable.

Usually, every ISP provides public route servers or route monitors which are accessible to anyone via Telnet and can be used to execute the command in question. Route servers are used for retrieving the routing information between ISPs. Apart from Telnet access, some providers also allow access via the Looking Glass web interface, which is basically a Telnet wrapper and can also be exploited to transfer crafted parameters to a router.

Although this vulnerability is very easily exploited, its scope is difficult to assess. Large ISPs use dedicated route server systems which only return information but are not used for routing. Things may be different for smaller providers who process everything on the same system in order to be cost-efficient. In addition, a Looking Glass server can access a large ISP's core router, which creates an indirect vulnerability.

According to reports, no updated IOS version has so far become available and Cisco has not yet released any information about this problem through official channels. As a workaround solution, some ISPs have started to filter out specific regular expressions on the Looking Glass servers. With Telnet access it is allegedly sufficient to disable the "show ip bgp regexp" command.

Administrators should implement the workaround solutions as soon as possible since detailed information about this vulnerability is already being circulated on various IRC channels.

More here.

NOTE: Anyone with additional information on this please leave a comment. Likewise, if I discover additional information, I will update this blog entry. I do not see any mention of this yet on the Cisco Systems Security Advisories page. - ferg

posted by Fergie @ 8/17/2007 11:27:00 AM

0 Comments:

Post a Comment

<< Home