Microsoft Issues Windows Server HTTP/2 Attack Advisory

Microsoft issued Security Advisory ADV190005 on Wednesday concerning a potential HTTP/2 settings issue for users of Internet Information Services (IIS) on Windows Server.

It's possible for "a malicious client" to push the CPU use to 100 percent on HTTP/2-based servers, Microsoft explained in its accompanying Knowledge Base article. That effect could tie up operations. Windows Server 2016 is potentially subject to these kinds of attacks, as well as Windows Server versions 1709 and 1803, plus Windows 10 versions.

Attacks that push the server's CPU use to their limits can happen because of how the HTTP/2 protocol was devised, according to Microsoft.

"The HTTP/2 protocol doesn't define any practical limit on the number of settings parameters included in a single settings frame (max allowed is 2796202) and there is no limit on the number of times such settings frames are exchanged," the Knowledge Base article explained.

It's not clear from the advisory or the Knowledge Base article if malicious clients are currently being used for such attacks, nor is the severity described. Microsoft credited Gal Goldshtein, a researcher with F5 Networks, for reporting the issue.

There's no patch coming to address this issue. IT pros are advised to make two Registry edits to define the limits on the number of HTTP/2 settings parameters that are allowed (ranging from 7 to 2796202). Here's the Knowledge Base article's description:

To address this issue, Microsoft has provided an ability to define limits on the number of HTTP/2 settings parameters allowed over a connection. These limits are not preset by Microsoft and must be defined by system administrator after reviewing the HTTP/2 protocol and their environment requirements.

After the Registry changes are made, a reboot of the server is required for the new settings parameters to come into effect.

HTTP/2 is an Internet Engineering Task Force (IETF) effort and not a World Wide Web Consortium project. It was initiated to replace the HTTP protocol with something that can better address network resource use. It's based on the SPDY/2 protocol for low-latency content transport and addresses an issue in HTTP/1.x where too many concurrent streams are needed to support a connection. Unlike HTTP/1.x, a connection using HTTP/2 is "fully multiplexed" and can use "one connection for parallelism," according to IETF's FAQ page. HTTP/2 also features "header compression to reduce overhead" and it supports push responses from servers to clients. It's currently possible to use HTTP/2 alone without using HTTP/1.x, according to the IETF.

HTTP/2 is supported in various browsers, including Chrome, Edge, Firefox and Safari. Support in the Opera and the Yandex browsers will be coming, according to the FAQ.

The known HTTP/2 use in software products gets tracked, and can be found at this GitHub page.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • How To Fix the Hyper-V Read Only Disk Problem

    DOS might seem like a relic now, but sometimes it's the only way to fix a problem that Windows seems ill-equipped to deal with -- like this one.

  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

comments powered by Disqus