Microsoft fixes IIS vulnerability that can cause CPU usage to soar 100% when processing HTTP/2 requests

A vulnerability in Microsoft Internet Information Services (IIS) servers shipped with Windows Server 2016 and Windows 10 can cause a 100 percent uptick in CPU use when they’re processing HTTP/2 requests “until the malicious connections are killed by IIS,” the Microsoft Security Response Center said in security advisory.

“The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters,” the advisory said. “In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.”

Microsoft has countered the issue by adding an ability for IIS administrators to define thresholds on the number of HTTP/2 settings a request can include.  

“The flaw in Microsoft IIS could cause serious problems for organizations using IIS for their corporate website or applications,” said Justin Jett, Plixer director of audit and compliance,who explained that although Microsoft has patched the problem, “it is still up to the IT team to properly configure IIS so the problem can’t be created.”

Because Microsoft does not provide presets, “fixing the problem is more than just applying the patch” and “IT teams should use network traffic analytics to look at connections going to their IIS servers to determine if they have connections going to their web servers that could be creating these problems,” Jett said.

“Often these connections are long-lived or the source connection continuously repeats to trigger a problem on the server. By looking at these metrics, IT teams can identify the source of the DDoS,” he said. “These types of problems can be resolved with proper configuration.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.