Internet Information Services (IIS) that are running on Windows servers can be manipulated to cause a 100 percent CPU usage spike according to a Microsoft Security Teams report.
Yesterday Microsoft said that they are aware that malicious HTTP/2 requests sent to Windows servers running IIS can trigger the system CPU to spike to 100 percent, which can only be stopped by severing the malicious connections.
Microsoft have said the issue affects IIS servers containing Windows 10 and Windows Server 2016, these servers reveal the CPU spike vulnerability when they are asked to process fraudulent HTTP/2 requests. A 100 percent CPU spike would effectively shut down any meaningful functionality on the server and is equivalent to a DDoS attack.
“The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed,” Microsoft Security Team wrote.
HTTP/2 Requests Bug Addressed by Microsoft
HTTP/2 is the newest version of the HyperText Transfer Protocol which underlines all of the currently used World Wide Web. HTTP/2 is seen as a faster version of the protocol and enables webpages to be loaded with reduce latency and faster speed. HTTP/2 modifies the way in which data is transported and formatted in exchanges between a server and client.
Google Web performance engineer lya Grigorik wrote in a developer blog that: “The primary goals for HTTP/2 are to reduce latency by enabling full request and response multiplexing, minimize protocol overhead via efficient compression of HTTP header fields, and add support for request prioritization and server push.”
Content from our partners
The vulnerability within Microsoft’s web server technology was discovered by F5 Networks engineer Gal Goldshtein.
In order to address the vulnerability Microsoft have added the ability to define the thresholds on “number of HTTP/2 SETTINGS included in a request.” However this is something that developers and IIS administrators must set and define themselves as they are not something that Microsoft has decided to pre-set.
