Microsoft publishes security alert on IIS bug that causes 100% CPU usage spikes

Microsoft releases updates to fix bug that froze systems when IIS handled malformed HTTP/2 requests.
Written by Catalin Cimpanu, Contributor

The Microsoft Security Response Center published yesterday a security advisory about a denial of service (DOS) issue impacting IIS (Internet Information Services), Microsoft's web server technology.

According to Microsoft, IIS servers shipped with Windows 10 and Windows Server 2016 are impacted by a vulnerability when processing HTTP/2 requests.

HTTP/2 is the latest version of the HTTP protocol that underpins what's known as the World Wide Web (www), the part of the internet that regular users can access in their browsers.

Microsoft says that there are circumstances in which IIS servers processing HTTP/2 requests can cause CPU usage to spike to 100 percent, effectively blocking or slowing down the entire system.

Gal Goldshtein, a software engineer with F5 Networks, discovered the issue. Outside of Microsoft's ADV190005 security advisory, there are no other public details available about this vulnerability.

In its advisory, Microsoft described the issue as follows:

The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.

The Redmond-based OS maker addressed the issue by adding the ability to define thresholds on the number of SETTINGS parameters included in an HTTP/2 request that an IIS server would be able to handle.

Cumulative updates KB4487006, KB4487011, KB4487021, and KB4487029 were released two days ago to address the IIS DOS bug.

After applying the updates, IIS administrators will be able to customize the HTTP/2 SETTINGS threshold and prevent the bug from freezing IIS web services.

"Thresholds must be defined by the IIS administrator," the company said, "they are not preset by Microsoft."

The 10 scariest cloud outages (and lessons learned from them)

Related cybersecurity news coverage:

Editorial standards