Microsoft Issues Windows Server HTTP/2 Attack Advisory

Microsoft issued Security Advisory ADV190005 on Wednesday concerning a potential HTTP/2 settings issue for users of Internet Information Services (IIS) on Windows Server.

It's possible for "a malicious client" to push the CPU use to 100 percent on HTTP/2-based servers, Microsoft explained in its accompanying Knowledge Base article. That effect could tie up operations. Windows Server 2016 is potentially subject to these kinds of attacks, as well as Windows Server versions 1709 and 1803, plus Windows 10 versions.

Attacks that push the server's CPU use to their limits can happen because of how the HTTP/2 protocol was devised, according to Microsoft.

"The HTTP/2 protocol doesn't define any practical limit on the number of settings parameters included in a single settings frame (max allowed is 2796202) and there is no limit on the number of times such settings frames are exchanged," the Knowledge Base article explained.

It's not clear from the advisory or the Knowledge Base article if malicious clients are currently being used for such attacks, nor is the severity described. Microsoft credited Gal Goldshtein, a researcher with F5 Networks, for reporting the issue.

There's no patch coming to address this issue. IT pros are advised to make two Registry edits to define the limits on the number of HTTP/2 settings parameters that are allowed (ranging from 7 to 2796202). Here's the Knowledge Base article's description:

To address this issue, Microsoft has provided an ability to define limits on the number of HTTP/2 settings parameters allowed over a connection. These limits are not preset by Microsoft and must be defined by system administrator after reviewing the HTTP/2 protocol and their environment requirements.

After the Registry changes are made, a reboot of the server is required for the new settings parameters to come into effect.

HTTP/2 is an Internet Engineering Task Force (IETF) effort and not a World Wide Web Consortium project. It was initiated to replace the HTTP protocol with something that can better address network resource use. It's based on the SPDY/2 protocol for low-latency content transport and addresses an issue in HTTP/1.x where too many concurrent streams are needed to support a connection. Unlike HTTP/1.x, a connection using HTTP/2 is "fully multiplexed" and can use "one connection for parallelism," according to IETF's FAQ page. HTTP/2 also features "header compression to reduce overhead" and it supports push responses from servers to clients. It's currently possible to use HTTP/2 alone without using HTTP/1.x, according to the IETF.

HTTP/2 is supported in various browsers, including Chrome, Edge, Firefox and Safari. Support in the Opera and the Yandex browsers will be coming, according to the FAQ.

The known HTTP/2 use in software products gets tracked, and can be found at this GitHub page.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

  • Most Microsoft Retail Locations To Shut Down

    Microsoft is pivoting its retail operations to focus more on online sales, a plan that would mean the closing of most physical Microsoft Store locations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.