Windows servers running Internet Information Services (IIS) are vulnerable to denial-of-service (DoS) attacks carried out through malicious HTTP/2 requests.
Microsoft revealed that Windows servers running Internet Information Services (IIS) are vulnerable to denial-of-service (DoS) attacks.
Attackers can trigger a DoS condition by sending specially crafted HTTP/2 requests, the CPU usage will temporarily spike to 100% forcing the IIS into killing the malicious connections.
“Microsoft is aware of a potential condition which can be triggered when malicious HTTP/2 requests are sent to a Windows Server running Internet Information Services (IIS). This could temporarily cause the system CPU usage to spike to 100% until the malicious connections are killed by IIS.” reads the security advisory published by Microsoft.
“The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.”
The flaw affects Windows 10, Windows Server and Windows Server 2016.
The flaw was reported by Gal Goldshtein from F5 Networks who disclosed in November 2018 a similar flaw in the nginx web server software.
Microsoft has released updates to address the issue, the tech giant has implemented the ability to define thresholds on the number of HTTP/2 SETTINGS included in a request. These thresholds are not preset by Microsoft, instead, IIS administrator must define them. Microsoft published a knowledge base article to explain how to define thresholds on the number of HTTP/2 settings parameters exchanged over a connection.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.