Request for Packets TCP 4786

Request for Packets TCP 4786 - CVE-2016-6385
We have received information about potential active reconnaissance for TCP 4786 which might be related to CVE-2016-6385 (Cisco IOS and IOS XE Software Smart Install Memory Leak Vulnerability) an advisory released 28 Sep 2016. This vulnerability could allow an unauthenticated user to cause a memory leak that could lead to a Denial of Service (DoS). If you are using Cisco IOS XE Software, "Cisco has released free software updates that address the vulnerability described in this advisory."[4] So far we have very little information but this is the type of IOS activity you should be looking for: Oct 21 20:12:46 MDT: %SM-4-BADEVENT: Event 'ibcs_e_download_msg_req_recv' is invalid for the current state 'ibcs_s_accept': smi_ibc_serv SMI IBCS sm -Traceback= XXXXXXX 1C2E850 1C1AC2C 1C2EDF4 1C2F5EC 1C2F7B8 1C1C40C 1C1C5BC 1C1C74C 1C1CA60 1C1B0B4 1B9774C 1B8E1D8 Oct 21 20:12:46 MDT: %SM-4-BADEVENT: Event 'ibcs_e_download_msg_resp_send' is invalid for the current state 'ibcs_s_accept': smi_ibc_serv SMI IBCS sm -Traceback= XXXXXXX 1C2E878 1C1AD58 1C2EDF4 1C2F5EC 1C2F7B8 1C1C40C 1C1C5BC 1C1C74C 1C1CA60 1C1B0B4 1B9774C 1B8E1D8 Oct 21 20:12:46 MDT: VSTACK_ERR: smi_ibc_dl_handle_events : invalid message If you have packets or logs that might help assess if this is related to this vulnerability, use our contact page to send them to us. [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6385 [2] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-smi [3] https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-56513 [4] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-smi#fixed [5] http://www.securityfocus.com/archive/1/539511 [6] https://isc.sans.edu/port.html?port=4786 ----------- Guy Bruneau IPSS Inc. Twitter: GuyBruneau gbruneau at isc dot sans dot edu	Guy 453 Posts ISC Handler
Subscribe	Oct 22nd 2016 3 years ago