cybersecurity #infosec #IIS #MicrosoftSystem administrators are recommended to update as soon as possible
According to network
security and ethical hacking specialists from the International Instiute
of Cyber Security, the Microsoft Security Incident Response Center launched a
security alert for a denial-of-service
(DoS) condition at Internet Information Services (IIS), the suite of services
for the Windows operating system.
Network security experts mention that the
problem exists because of how the IIS server manages HTTP/2 requests, which can
lead to denial of service. “An attacker could send a very high setting value
and cause server resource consumption to increase to unsustainable levels,
resulting in denial of service.
IIS servers included with Windows 10 and
Windows Server 2016 are affected by the error in processing these requests; an
update has already been launched, which allows admins to set the limit in
Settings HTTP/2 that each server can manage. This feature was not set by
default by Microsoft.
The company mentions that under some
circumstances, IIS servers that process these requests can increase the use of
processing capabilities to 100%, so systems slow down or, in the worst case,
are completely blocked.
Network security specialists comment that, in
addition to what is mentioned in the Microsoft Security Alert, additional
details about the vulnerability are unknown.
HTTP/2 requests allow clients to specify a
number of frames. In some cases, over-configuration can destabilize services
and cause an increase in CPU usage until timeouts are exhausted and a
connection is closed.
The vulnerability was corrected by implementing
the ability to define boundaries in the number of settings parameters included
in an HTTP/2 request that an IIS server can manage.
System administrators are encouraged to install
updates as soon as possible to mitigate the risks of entering a DDoS condition.
