View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 21, 2019

Windows Servers HTTP/2 Request Bug Can Trigger 100% CPU Usage

The vulnerability within Microsoft’s web server technology was discovered by F5 Networks engineer Gal Goldshtein.

By CBR Staff Writer

Internet Information Services (IIS) that are running on Windows servers can be manipulated to cause a 100 percent CPU usage spike according to a Microsoft Security Teams report.

Yesterday Microsoft said that they are aware that malicious HTTP/2 requests sent to Windows servers running IIS can trigger the system CPU to spike to 100 percent, which can only be stopped by severing the malicious connections.

Microsoft have said the issue affects IIS servers containing Windows 10 and Windows Server 2016, these servers reveal the CPU spike vulnerability when they are asked to process fraudulent HTTP/2 requests. A 100 percent CPU spike would effectively shut down any meaningful functionality on the server and is equivalent to a DDoS attack.

“The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed,” Microsoft Security Team wrote.

HTTP/2 Requests Bug Addressed by Microsoft

HTTP/2 requests

HTTP/2 is the newest version of the HyperText Transfer Protocol which underlines all of the currently used World Wide Web. HTTP/2 is seen as a faster version of the protocol and enables webpages to be loaded with reduce latency and faster speed. HTTP/2 modifies the way in which data is transported and formatted in exchanges between a server and client.

Google Web performance engineer lya Grigorik wrote in a developer blog that: “The primary goals for HTTP/2 are to reduce latency by enabling full request and response multiplexing, minimize protocol overhead via efficient compression of HTTP header fields, and add support for request prioritization and server push.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

The vulnerability within Microsoft’s web server technology was discovered by F5 Networks engineer Gal Goldshtein.

In order to address the vulnerability Microsoft have added the ability to define the thresholds on “number of HTTP/2 SETTINGS included in a request.” However this is something that developers and IIS administrators must set and define themselves as they are not something that Microsoft has decided to pre-set.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.