Vulnerability in IIS generates DoS condition

cybersecurity #infosec #IIS #MicrosoftSystem administrators are recommended to update as soon as possible

According to network security and ethical hacking specialists from the International Instiute of Cyber Security, the Microsoft Security Incident Response Center launched a security alert for a denial-of-service (DoS) condition at Internet Information Services (IIS), the suite of services for the Windows operating system. 

Network security experts mention that the problem exists because of how the IIS server manages HTTP/2 requests, which can lead to denial of service. β€œAn attacker could send a very high setting value and cause server resource consumption to increase to unsustainable levels, resulting in denial of service.

IIS servers included with Windows 10 and Windows Server 2016 are affected by the error in processing these requests; an update has already been launched, which allows admins to set the limit in Settings HTTP/2 that each server can manage. This feature was not set by default by Microsoft.

The company mentions that under some circumstances, IIS servers that process these requests can increase the use of processing capabilities to 100%, so systems slow down or, in the worst case, are completely blocked.

Network security specialists comment that, in addition to what is mentioned in the Microsoft Security Alert, additional details about the vulnerability are unknown.   

HTTP/2 requests allow clients to specify a number of frames. In some cases, over-configuration can destabilize services and cause an increase in CPU usage until timeouts are exhausted and a connection is closed.

The vulnerability was corrected by implementing the ability to define boundaries in the number of settings parameters included in an HTTP/2 request that an IIS server can manage.

System administrators are encouraged to install updates as soon as possible to mitigate the risks of entering a DDoS condition.