PrintNightmare/CVE-2021-34527 Search the Domain with PowerShell

In my latest blog post “Vulnerability advisory: PrintNightmare/CVE-2021-34527 Zero-day Exploit Code Available – What to do now?” I’ve recommended enabling monitoring with Windows EventLogs or Sysmon logging. Since many small to medium business leak the possibility to aggregate, search and alert on Windows EventLogs, I want to propose a simple yet effective manual way for these businesses until a patch is available.

Continue reading “PrintNightmare/CVE-2021-34527 Search the Domain with PowerShell”

Vulnerability advisory: PrintNightmare/CVE-2021-34527 Zero-day Exploit Code Available – What to do now?

What has happened?

With the June 2021 security update Microsoft fixed a vulnerability (CVE-2021-1675) in the Windows Print Spooler Service that allowed for Privilege Escalation (LPE) and Remote Code Execution (RCE).

On June 29th exploit code for this vulnerability was published by a security researcher as PoC but then quickly removed as it was clear that the PoC did not address the vulnerability that Microsoft has fixed. Unfortunately the PoC code was already being actively shared at this moment. So for now, we have a 0-day RCE in the Windows Print Spooler Service for which exploit code is available.

Continue reading “Vulnerability advisory: PrintNightmare/CVE-2021-34527 Zero-day Exploit Code Available – What to do now?”

Investigating: CVE-2019-19781 on Citrix NetScaler appliances

We got quite a few cases related to CVE-2019-19781 during the past few weeks.

However, most of the NetScaler VM images we got were acquired after the appliances were shut down, so we had no RAM image data. Unfortunately, this also implicates the loss of the root file system /, as it turned out that the root partition was mounted as a RAM disk.

Continue reading “Investigating: CVE-2019-19781 on Citrix NetScaler appliances”