Welcome to the sunlit uplands of HTTP/2, where a naughty request can send Microsoft's IIS into a spin
It's patching time again for Windows Server 2016 and Windows 10
Updated Oops! Microsoft has published an advisory on a bug in its Internet Information Services (IIS) product that allows a malicious HTTP/2 request to send CPU usage to 100 per cent.
An anonymous Reg reader tipped us off to the advisory, ADV190005, which warns that the condition can leave the system CPU usage pinned to the ceiling until IIS kills the connection.
In other words, a Denial Of Service (DOS).
HTTP/2 is a major update to the venerable HTTP protocol used by the World Wide Web and is geared toward improving performance, among other changes. Windows Server 2016 was the first Microsoft server product to support it, and Windows 10 (versions 1607 – 1803) is affected by the issue.
The problem, according to Microsoft, is that the HTTP/2 spec allows a client to specify any number of SETTINGS frames with any number of SETTINGS parameters. Those parameters usually include helpful stuff like the characteristics of the sending peer, and different values for the same parameter can be advertised by each peer.
Excessive settings can make things go a bit wobbly as IIS works on the request and sends the CPU usage sky high until a connection timeout is reached and the connection closed.
The good news is that this week's "non-security update" deals with the problem. Microsoft flung out patches on 19 February in the form of KB4487006, KB4487011, KB4487021 and KB4487029 to deal with it.
The company has added the ability to set thresholds on the number of HTTP/2 SETTINGS in a request but has declined to set any defaults, leaving it to the IIS Admin to configure.
This is assuming that administrators can actually find the setting. The link for the Knowledge Base article (KB4491420) that Microsoft suggested users review went nowhere at the time of writing, and the current documentation for IIS cheerfully tells admins that there are no new configuration settings specific to HTTP/2.
We've contacted Microsoft to learn more and will update with any response.
The issue itself was discovered by Gal Goldshtein of F5 Networks. ®
Updated to add at 15:13 UTC
After we brought the broken link to its attention, Microsoft posted the support article detailing defining those pesky thresholds.
Alas, there is no cosy GUI for admins. You'll need to edit a couple of registry entries and reboot to see the thresholds applied. As promised, Microsoft is not about to define any presets for the values. It's up to the admin to decide.
Sponsored: Becoming a Pragmatic Security Leader