id: cisco-smi-exposure info: name: Cisco Smart Install Endpoints Exposure author: dwisiswant0 severity: info description: | This template attempts & supports the detection part only by connecting to the specified Cisco Smart Install port and determines if it speaks the Smart Install Protocol. Exposure of SMI to untrusted networks can allow complete compromise of the switch. reference: - https://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html - https://blogs.cisco.com/security/cisco-psirt-mitigating-and-detecting-potential-abuse-of-cisco-smart-install-feature - https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi - https://github.com/Cisco-Talos/smi_check/blob/master/smi_check.py#L52-L53 - https://github.com/Sab0tag3d/SIET tags: network,cisco,smi,exposure network: - inputs: - data: "000000010000000100000004000000080000000100000000" type: hex host: - "{{Hostname}}" - "{{Hostname}}:4786" matchers: - type: word encoding: hex words: - "000000040000000000000003000000080000000100000000"