Windows servers strolling Internet Information Services (IIS) are vulnerable to denial-of-service (DoS) attacks carried out through malicious HTTP/2 requests.
Microsoft revealed that Windows servers walking Internet Information Services (IIS) are at risk of denial-of-service (DoS) assaults.
Attackers can cause a DoS circumstance with the aid of sending specifically crafted HTTP/2 requests, the CPU utilization will quickly spike to 100% forcing the IIS into killing the malicious connections.
“Microsoft is aware of a capacity situation which can be triggered while malicious HTTP/2 requests are sent to a Windows Server walking Internet Information Services (IIS). This should briefly cause the device CPU usage to spike to 100% until the malicious connections are killed by way of IIS.” reads the security advisory published with the aid of Microsoft.
“The HTTP/2 specification allows clients to specify any quantity of SETTINGS frames with any quantity of SETTINGS parameters. In some situations, excessive settings can reason offerings to become unstable and may bring about a transient CPU utilization spike until the connection timeout is reached and the relationship is closed.”
The flaw affects Windows 10, Windows Server and Windows Server 2016.
The flaw turned into reported by way of Gal Goldshtein from F5 Networks who disclosed in November 2018 a comparable flaw in the Nginx web server software.
Microsoft has released updates to deal with the issue, the tech massive has carried out the capability to outline thresholds on the range of HTTP/2 SETTINGS blanketed in a request. These thresholds are not preset by means of Microsoft, instead, IIS administrator has to outline them. Microsoft published an information base article to explain the way to define thresholds at the variety of HTTP/2 settings parameters exchanged over a connection.