Microsoft publishes security alert on IIS bug that causes 100% CPU usage spikes


The Microsoft Security Response Center published yesterday a security advisory about a denial of service (DOS) issue impacting IIS (Internet Information Services), Microsoft’s web server technology.

According to Microsoft, IIS servers shipped with Windows 10 and Windows Server 2016 are impacted by a vulnerability when processing HTTP/2 requests.

HTTP/2 is the latest version of the HTTP protocol that underpins what’s known as the World Wide Web (www), the part of the internet that regular users can access in their browsers.

Microsoft says that there are circumstances in which IIS servers processing HTTP/2 requests can cause CPU usage to spike to 100 percent, effectively blocking or slowing down the entire system.

Gal Goldshtein, a software engineer with F5 Networks, discovered the issue. Outside of Microsoft’s ADV190005security advisory, there are no other public details available about this vulnerability.

In its advisory, Microsoft described the issue as follows:

The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.

The Redmond-based OS maker addressed the issue by adding the ability to define thresholds on the number of SETTINGS parameters included in an HTTP/2 request that an IIS server would be able to handle.

Read more…