Microsoft published a security advisory on its Security Response Center which discloses that Windows Server and Windows 10 servers running Internet Information Services (IIS) are vulnerable to denial of service (DOS) attacks.
To be more exact, all IIS servers running Windows Server 2016, Windows Server Version 1709, Windows Server Version 1803, as well as Windows 10 (versions 1607, 1703, 1709, and 1803) are affected by this DoS issue.
The vulnerability described in Microsoft's ADV190005 security advisory makes it possible for a potential remote attacker to trigger a DoS condition by taking advantage of an IIS resource exhaustion bug that "could temporarily cause the system CPU usage to spike to 100% until the malicious connections are killed by IIS."
Malicious actors can launch DoS attacks against vulnerable Windows servers by sending maliciously crafted HTTP/2 requests.
Microsoft states in the advisory that there are no known mitigations or workarounds for the vulnerability reported by Gal Goldshtein of F5 Networks, and it recommends all users to install Install the February non-security updates listed in the table below.
Product | Article |
Windows 10 Version 1607 for 32-bit Systems | 4487006 |
Windows 10 Version 1607 for x64-based Systems | 4487006 |
Windows 10 Version 1703 for 32-bit Systems | 4487011 |
Windows 10 Version 1703 for x64-based Systems | 4487011 |
Windows 10 Version 1709 for 32-bit Systems | 4487021 |
Windows 10 Version 1709 for 64-based Systems | 4487021 |
Windows 10 Version 1709 for ARM64-based Systems | 4487021 |
Windows 10 Version 1803 for 32-bit Systems | 4487029 |
Windows 10 Version 1803 for ARM64-based Systems | 4487029 |
Windows 10 Version 1803 for x64-based Systems | 4487029 |
Windows Server 2016 | 4487006 |
Windows Server 2016 (Server Core installation) | 4487006 |
Windows Server, version 1709 (Server Core Installation) | 4487021 |
Windows Server, version 1803 (Server Core Installation) | 4487029 |
As detailed by Microsoft in their ADV190005 security advisory:
The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.
As a mitigation measure, Redmond's security team "added the ability to define thresholds on the number of HTTP/2 SETTINGS included in a request," threshold levels which have to be set up by IIS administrators after evaluating their systems' environment and HTTP/2 protocol requirements as they will not be pre-configured by Microsoft.
To set these limits, Microsoft added the following registry entries on vulnerable Windows 10 releases:
Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Name: Http2MaxSettingsPerFrame
Type: DWORD
Data: Supported min value 7 and max 2796202. Out of range values trimmed to corresponding min/max end value.
Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Name: Http2MaxSettingsPerMinute
Type: DWORD
Data: Supported min value 7. Smaller value trimmed to the min value.
Once the thresholds are set on a Windows system running IIS, connections will be immediately killed:
- If a single Setting frame contains more settings parameters than "Http2MaxSettingsPerFrame" value
- If the number of settings parameters contained in multiple Settings frames received within a minute crosses "Http2MaxSettingsPerMinute" value
It's also important to note that, according to Microsoft, a service restart or a server reboot might be needed for the newly added registry values to be read.
Windows servers running have been previously exploited by attackers with the help of a zero-day in IIS 6.0 affecting the WebDAV service included by default in all IIS distributions, between July 2016 and March 2017.
Comments
pastru - 5 years ago
OMG Who in the hell and right mind uses MS IIS over Apache or even nginx? OMG that is like a time bomb is like you want to redo the whole project all over again, is like working with ASP omg who would dare? I stopped using ASP completely and as a respected developer, even talking about it is insulting.
woody188 - 5 years ago
Considering all the latest remote code breeches are PHP based...
I get it. MS/IIS has definitely earned that reputation. But to say Apache or nginx are any more secure is deluding yourself.
username2347523475 - 5 years ago
For many small businesses, MS/IIS is used for internal reporting. It is usually on the database with reporting enabled.