id: cisco-ios-xe-panel

info:
  name: Cisco IOS XE - Detect
  author: bhutch
  severity: info
  description: |
    Cisco IOS XE login panel was detected.
  reference:
    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cwe-id: CWE-200
    cpe: cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*
  metadata:
    verified: "true"
    max-request: 2
    vendor: cisco
    product: ios_xe
    shodan-query: http.html_hash:1076109428
  tags: panel,cisco,ssl
ssl:
  - address: "{{Host}}:{{Port}}"

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: dsl
        dsl:
          - contains(http_body,'webui')
          - contains(ssl_issuer_dn,'IOS-Self-Signed-Certificate')
        condition: and

    extractors:
      - type: kval
        kval:
          - ssl_issuer_dn
# digest: 4a0a00473045022100fb217f221528624ecd03776b7e9be729d7737d0205c72623af3f429e39aa15d902203e0c6eda2143fcb1e3a8b302b5023ee07366273cb686ae6948ccf79212902ee4:922c64590222798bb761d5b6d8e72950