Microsoft IIS Web Server's CPU Gobbling Bug

Last week Microsoft's Security Response Center issued a security advisory about a denial of service issue with Internet Information Services, Redmond's web server. It seems that a malicious client attempting to connect with IIS using HTTP/2 can make the server temporarily unstable by maxing out the CPU.

Microsoft said the bug was discovered and reported by Gal Goldshtein, a security researcher at F5 Networks, and affects IIS servers that shipped with Windows 10 and Windows Server 2016.

HTTP/2 is a revision of the HTTP protocol that was released in 2015 and is currently supported by all major browsers and by about a third of the top 10 million websites. The IIS problem revolves around HTML/2's settings frames that are used to establish settings parameters between the client and server.

"The HTTP/2 protocol doesn’t define any practical limit on the number of settings parameters included in a single settings frame (max allowed is 2,796,202) and there is no limit on the number of times such settings frames are exchanged," Microsoft explained in an online notice.

"A malicious client using HTTP/2 can exploit this fact to make an HTTP/2 server system temporarily unstable, by increasing the CPU usage to 100 percent before the connections are terminated by the Internet Information Services (IIS)."

In other words, a malicious actor can flood the IIS web server with enough requests to effectively bring it to a halt.

To address this issue, Microsoft added in February's non-security update the ability for administrators to define thresholds on the number of HTTP/2 settings included in a request. The patch, which adds two registry entries, allows admins to set a maximum number of settings parameters included in a frame as well as a maximum number per minute. If either threshold is crossed, the connection is immediately terminated.

"These limits are not preset by Microsoft and must be defined by system administrator after reviewing the HTTP/2 protocol and their environment requirements," Microsoft said.

Information about the new registry entries are available on a support page dealing with the issue.

According to Microsoft, a machine reboot, or service restart is required in order to read the configured registry values, both when they are first added or whenever they are changed.