We have received information about potential active reconnaissance for TCP 4786 which might be related to CVE-2016-6385 (Cisco IOS and IOS XE Software Smart Install Memory Leak Vulnerability) an advisory released 28 Sep 2016. This vulnerability could allow an unauthenticated user to cause a memory leak that could lead to a Denial of Service (DoS). If you are using Cisco IOS XE Software, "Cisco has released free software updates that address the vulnerability described in this advisory."[4]

So far we have very little information but this is the type of IOS activity you should be looking for:

Oct 21 20:12:46 MDT: %SM-4-BADEVENT: Event 'ibcs_e_download_msg_req_recv' is invalid for the current state 'ibcs_s_accept': smi_ibc_serv SMI IBCS sm
-Traceback= XXXXXXX 1C2E850 1C1AC2C 1C2EDF4 1C2F5EC 1C2F7B8 1C1C40C 1C1C5BC 1C1C74C 1C1CA60 1C1B0B4 1B9774C 1B8E1D8
Oct 21 20:12:46 MDT: %SM-4-BADEVENT: Event 'ibcs_e_download_msg_resp_send' is invalid for the current state 'ibcs_s_accept': smi_ibc_serv SMI IBCS sm
-Traceback= XXXXXXX 1C2E878 1C1AD58 1C2EDF4 1C2F5EC 1C2F7B8 1C1C40C 1C1C5BC 1C1C74C 1C1CA60 1C1B0B4 1B9774C 1B8E1D8
Oct 21 20:12:46 MDT: VSTACK_ERR: smi_ibc_dl_handle_events : invalid message

If you have packets or logs that might help assess if this is related to this vulnerability, use our contact page to send them to us.

[1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6385
[2] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-smi
[3] https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-56513
[4] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-smi#fixed
[5] http://www.securityfocus.com/archive/1/539511
[6] https://isc.sans.edu/port.html?port=4786

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu