id: cisco-smi-exposure

info:
  name: Cisco Smart Install Endpoints Exposure
  author: dwisiswant0
  severity: info
  description: |
    This template attempts & supports the detection part only by
    connecting to the specified Cisco Smart Install port and determines
    if it speaks the Smart Install Protocol. Exposure of SMI to
    untrusted networks can allow complete compromise of the switch.
  reference:
    - https://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html
    - https://blogs.cisco.com/security/cisco-psirt-mitigating-and-detecting-potential-abuse-of-cisco-smart-install-feature
    - https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi
    - https://github.com/Cisco-Talos/smi_check/blob/master/smi_check.py#L52-L53
    - https://github.com/Sab0tag3d/SIET
  tags: network,cisco,smi,exposure

network:
  - inputs:
      - data: "000000010000000100000004000000080000000100000000"
        type: hex

    host:
      - "{{Hostname}}"
      - "{{Hostname}}:4786"

    matchers:
      - type: word
        encoding: hex
        words:
          - "000000040000000000000003000000080000000100000000"