Internet Information Services (IIS), an extensible web server by Microsoft is affected by a bug that allows malicious HTTP/2 requests to severely affect its performance. These server requests could gradually increase the CPU usage to 100 percent for a Windows server running IIS.
In a security advisory released yesterday, Microsoft has addressed this issue in detail. It has mentioned that Windows servers running IIS are vulnerable. The tech giant has addressed this bug through its 14 updates released for Windows OS and Windows servers.
New threshold setting to prevent abuse
Micrsoft explained the issue in the advisory stating, “The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed."
Furthermore, it added that, "To address this issue, Microsoft has added the ability to define thresholds on the number of HTTP/2 SETTINGS included in a request. These thresholds must be defined by the IIS administrator, they are not preset by Microsoft.”
HTTP/2, which is a revamped version of the popular HTTP, has a number of advantages over the latter. Its ability to send multiple requests in a TCP connection leads to a faster website response. In addition, it follows the binary protocol instead of text protocol, thus ensuring effective network resource utilization. All these advantages make it attractive for attackers to deploy web-based attacks such as denial-of-service.