Microsoft revealed that Windows servers running Internet Information Services (IIS) are vulnerable to denial-of-service (
Attackers can trigger a DoS condition by sending specially crafted HTTP/2 requests, the CPU usage will temporarily spike to 100% forcing the IIS into killing the malicious connections.
“Microsoft is aware of a potential condition which can be triggered when malicious HTTP/2 requests are sent to a Windows Server running Internet Information Services (IIS). This could temporarily cause the system CPU usage to spike to 100% until the malicious connections are killed by IIS.” reads the security advisory published by Microsoft.
“The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.”
The flaw affects Windows 10, Windows Server and Windows Server 2016.
The flaw was reported by Gal Goldshtein from F5 Networks who disclosed in November 2018 a similar flaw in the nginx web server software.
Microsoft has released updates to address the issue, the tech giant has implemented the ability to define thresholds on the number of HTTP/2 SETTINGS included in a request. These thresholds are not preset by Microsoft, instead, IIS administrator must define them. Microsoft published a knowledge base article to explain how to define thresholds on the number of HTTP/2 settings parameters exchanged over a connection.