Product: PowerShell Universal
Version: 2.3.1

So, last night from what I can gather is someone left a tab open in Edge with a Powershell Universal page open. Today, I went to access it and was unable to. Logging into the server, I saw it sending 35~ MB of data per sec across the NIC and eating up about 90% of the available memory and nearly maxing the CPU.

image1398×532 34.5 KB

image1615×492 44.6 KB

image1423×1004 69.1 KB

The Universal log file also matches this. This persisted from 6AM to 11AM. In that time, it sent 14GB of data, all while repeatedly doing claims evaluations. I ended up having to force close Universal, then start the service.

When it started again, it was stuck… Here are the logs from that time (about 70% of them, to work with pastebin)
UniversalLog - Pastebin.com

I then reached out and asked “User1” to close their inactive tab. They closed it, I restarted the service… And everything worked fine.

Can you let me know what type of authentication you are using?

Hi Adam,

Using Windows Integrated Authentication…

param(
$User
)

$UserName = ($User.Identity.Name)
$UserName = $UserName.Substring($UserName.IndexOf(‘')+1,($UserName.Length -($UserName.IndexOf(’')+1)))

$IsMember = $false;

Perform LDAP Group Member Lookup

$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = ‘LDAP://Redacted’ # INSERT ROOT LDAP HERE
$Searcher.Filter = “(&(objectCategory=person)(memberOf=Redacted))” #GROUP INSERT DN TO CHECK HERE
$Users = $Searcher.FindAll()
$Users | ForEach-Object{
If($_.Properties.samaccountname -eq $UserName)
{
$IsMember = $true;
“$UserName is a member of admin group!”
}
}

return $IsMember

That’s the script to go along with it.

Ok. Thanks. I’ll try to reproduce this. I opened an issue.

One thing you can do in the meantime would be to setup some sort of rate limiting to prevent the LDAP calls and likely reduce the data output. You server may still be spammed but it would shortcut the requests before running all the heavy PS scripts.