Microsoft Issues Windows Server HTTP/2 Attack Advisory
Microsoft issued Security Advisory ADV190005 on Wednesday concerning a potential HTTP/2 settings issue for users of Internet Information Services (IIS) on Windows Server.
It's possible for "a malicious client" to push the CPU use to 100 percent on HTTP/2-based servers, Microsoft explained in its accompanying Knowledge Base article. That effect could tie up operations. Windows Server 2016 is potentially subject to these kinds of attacks, as well as Windows Server versions 1709 and 1803, plus Windows 10 versions.
Attacks that push the server's CPU use to their limits can happen because of how the HTTP/2 protocol was devised, according to Microsoft.
"The HTTP/2 protocol doesn't define any practical limit on the number of settings parameters included in a single settings frame (max allowed is 2796202) and there is no limit on the number of times such settings frames are exchanged," the Knowledge Base article explained.
It's not clear from the advisory or the Knowledge Base article if malicious clients are currently being used for such attacks, nor is the severity described. Microsoft credited Gal Goldshtein, a researcher with F5 Networks, for reporting the issue.
There's no patch coming to address this issue. IT pros are advised to make two Registry edits to define the limits on the number of HTTP/2 settings parameters that are allowed (ranging from 7 to 2796202). Here's the Knowledge Base article's description:
To address this issue, Microsoft has provided an ability to define limits on the number of HTTP/2 settings parameters allowed over a connection. These limits are not preset by Microsoft and must be defined by system administrator after reviewing the HTTP/2 protocol and their environment requirements.
After the Registry changes are made, a reboot of the server is required for the new settings parameters to come into effect.
HTTP/2 is an Internet Engineering Task Force (IETF) effort and not a World Wide Web Consortium project. It was initiated to replace the HTTP protocol with something that can better address network resource use. It's based on the SPDY/2 protocol for low-latency content transport and addresses an issue in HTTP/1.x where too many concurrent streams are needed to support a connection. Unlike HTTP/1.x, a connection using HTTP/2 is "fully multiplexed" and can use "one connection for parallelism," according to IETF's FAQ page. HTTP/2 also features "header compression to reduce overhead" and it supports push responses from servers to clients. It's currently possible to use HTTP/2 alone without using HTTP/1.x, according to the IETF.
HTTP/2 is supported in various browsers, including Chrome, Edge, Firefox and Safari. Support in the Opera and the Yandex browsers will be coming, according to the FAQ.
The known HTTP/2 use in software products gets tracked, and can be found at this GitHub page.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.