Microsoft revealed that Windows servers running Internet Information Services (IIS) are vulnerable to denial-of-service (DoS) attacks.
Attackers can trigger a DoS condition by sending specially crafted HTTP/2 requests, the CPU usage will temporarily spike to 100% forcing the IIS into killing the malicious connections.
“Microsoft is aware of a potential condition which can be triggered when malicious HTTP/2 requests are sent to a Windows Server running Internet Information Services (IIS). This could temporarily cause the system CPU usage to spike to 100% until the malicious connections are killed by IIS.” reads the security advisory published by Microsoft.
“The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.”
The flaw affects Windows 10, Windows Server and Windows Server 2016.
The flaw was reported by Gal Goldshtein from F5 Networks who disclosed in November 2018 a similar flaw in the nginx web server software.
Microsoft has released updates to address the issue, the tech giant has implemented the ability to define thresholds on the number of HTTP/2 SETTINGS included in a request. These thresholds are not preset by Microsoft, instead, IIS administrator must define them. Microsoft published a knowledge base article to explain how to define thresholds on the number of HTTP/2 settings parameters exchanged over a connection.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Windows, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting…
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the…
A cyber attack has been disrupting operations at Synlab Italia, a leading provider of medical…
Russia-linked APT28 group used a previously unknown tool, dubbed GooseEgg, to exploit Windows Print Spooler…
A financially motivated group named GhostR claims the theft of a sensitive database from World-Check…
Researcher demonstrated how to exploit vulnerabilities in the Windows DOS-to-NT path conversion process to achieve…
This website uses cookies.