IIS Vulnerability Triggers a Denial-of-Service

Microsoft has recently rolled-out updates for addressing a vulnerability in its Internet Information Services (IIS). Allegedly, this Microsoft IIS bug could cause a denial of service since the CPU usage rises to 100%.

Microsoft IIS Bug Leading To DoS

Microsoft has warned users of a serious security vulnerability targeting Internet Information Services (IIS). In its security advisory, Microsoft has explained the details of the problem.

As described, this Microsoft IIS bug arose upon processing malicious HTTP/2 requests. This could ultimately induce denial-of-service.

“Microsoft is aware of a potential condition which can be triggered when malicious HTTP/2 requests are sent to a Windows Server running Internet Information Services (IIS). This could temporarily cause the system CPU usage to spike to 100% until the malicious connections are killed by IIS.”

Explaining the reason behind this behavior, Microsoft stated,

“The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.”

This vulnerability allegedly affects the IIS Servers shipped with Windows Server 2016 and Windows 10.

Updates Released As Fix

Microsoft has not only disclosed the vulnerability but has also rolled-out fixes for it. Allegedly, the cumulative updates KB4487006, KB4487011, KB4487021, and KB4487029 bring fixes for Windows 10 and Windows Server 2016.

Regarding how the patch works, Microsoft explained,

“To address this issue, Microsoft has provided an ability to define limits on the number of HTTP/2 settings parameters allowed over a connection. These limits are not preset by Microsoft and must be defined by system administrator after reviewing the HTTP/2 protocol and their environment requirements.”

While the updates will automatically download to the respective systems, the users should still make sure to update their systems with these patches.

Microsoft recommends the users to install February non-security update. This update comes around separately from the February’s patch Tuesday update bundle.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients