Windows Servers Vulnerable to IIS Resource Exhaustion DoS Attacks

Microsoft published a security advisory on its Security Response Center which discloses that Windows Server and Windows 10 servers running Internet Information Services (IIS) are vulnerable to denial of service (DOS) attacks.

To be more exact, all IIS servers running Windows Server 2016, Windows Server Version 1709,  Windows Server Version 1803, as well as Windows 10 (versions 1607, 1703, 1709, and 1803) are affected by this DoS issue.

The vulnerability described in Microsoft's ADV190005 security advisory makes it possible for a potential remote attacker to trigger a DoS condition by taking advantage of an IIS resource exhaustion bug that "could temporarily cause the system CPU usage to spike to 100% until the malicious connections are killed by IIS."

Malicious actors can launch DoS attacks against vulnerable Windows servers by sending maliciously crafted HTTP/2 requests.

Microsoft states in the advisory that there are no known mitigations or workarounds for the vulnerability reported by Gal Goldshtein of F5 Networks, and it recommends all users to install Install the February non-security updates listed in the table below.

Product	Article
Windows 10 Version 1607 for 32-bit Systems	4487006
Windows 10 Version 1607 for x64-based Systems	4487006
Windows 10 Version 1703 for 32-bit Systems	4487011
Windows 10 Version 1703 for x64-based Systems	4487011
Windows 10 Version 1709 for 32-bit Systems	4487021
Windows 10 Version 1709 for 64-based Systems	4487021
Windows 10 Version 1709 for ARM64-based Systems	4487021
Windows 10 Version 1803 for 32-bit Systems	4487029
Windows 10 Version 1803 for ARM64-based Systems	4487029
Windows 10 Version 1803 for x64-based Systems	4487029
Windows Server 2016	4487006
Windows Server 2016 (Server Core installation)	4487006
Windows Server, version 1709 (Server Core Installation)	4487021
Windows Server, version 1803 (Server Core Installation)	4487029

As detailed by Microsoft in their ADV190005 security advisory:

The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.

As a mitigation measure, Redmond's security team "added the ability to define thresholds on the number of HTTP/2 SETTINGS included in a request," threshold levels which have to be set up by IIS administrators after evaluating their systems' environment and HTTP/2 protocol requirements as they will not be pre-configured by Microsoft.

To set these limits, Microsoft added the following registry entries on vulnerable Windows 10 releases:

Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Name: Http2MaxSettingsPerFrame
Type: DWORD
Data: Supported min value 7 and max 2796202. Out of range values trimmed to corresponding min/max end value.

Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Name: Http2MaxSettingsPerMinute
Type: DWORD
Data: Supported min value 7. Smaller value trimmed to the min value. 

Once the thresholds are set on a Windows system running IIS, connections will be immediately killed:

It's also important to note that, according to Microsoft, a service restart or a server reboot might be needed for the newly added registry values to be read.

Windows servers running have been previously exploited by attackers with the help of a zero-day in IIS 6.0 affecting the WebDAV service included by default in all IIS distributions, between July 2016 and March 2017.