id: cisco-ios-xe-panel

info:
  name: Cisco IOS XE - Detect
  author: bhutch
  severity: info
  description: |
    Cisco IOS XE login panel was detected.
  reference:
    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cwe-id: CWE-200
    cpe: cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    product: ios_xe
    shodan-query: http.html_hash:1076109428
    vendor: cisco
    verified: "true"
  tags: panel,cisco,ssl
ssl:
  - address: "{{Host}}:{{Port}}"

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: dsl
        dsl:
          - contains(http_body,'webui')
          - contains(ssl_issuer_dn,'IOS-Self-Signed-Certificate')
        condition: and

    extractors:
      - type: kval
        kval:
          - ssl_issuer_dn
# digest: 4a0a0047304502202fe35c96fb944e3d037046c1f09ff2f3ed415c0d970e45d4d773e6cf4ae54524022100e9932ba706b8ed5327ed31e38d683ece8904f976e2d79612340df07051645348:922c64590222798bb761d5b6d8e72950