• HOME
  • About Us
  • Industry Insight & news
    • Industry Insight & News
    • Sign up to our newsletter
  • Press releases & updates
    • Press Releases & Updates
  • Downloads & Resources
    • Downloads & Resources
  • Events
    • DTX Europe
    • DTX Manchester
    • UC EXPO
  • DTX TV


Expert found a DoS flaw in Windows Servers running IIS

Expert found a DoS flaw in Windows Servers running IIS
2019-02-27T00:00:00Z

Source: http://www.cyberdefensemagazine.com/expert-found-a-dos-flaw-in-windows-servers-running-iis/

Windows servers running Internet Information Services (IIS) are vulnerable to denial-of-service (DoS) attacks carried out through malicious HTTP/2 requests.

Microsoft revealed that Windows servers running Internet Information Services (IIS) are vulnerable to denial-of-service (DoS) attacks.

Attackers can trigger a DoS condition by sending specially crafted HTTP/2 requests, the CPU usage will temporarily spike to 100% forcing the IIS into killing the malicious connections.

“Microsoft is aware of a potential condition which can be triggered when malicious HTTP/2 requests are sent to a Windows Server running Internet Information Services (IIS). This could temporarily cause the system CPU usage to spike to 100% until the malicious connections are killed by IIS reads the security advisory published by Microsoft.

“The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.”

The flaw affects Windows 10, Windows Server and Windows Server 2016.

The flaw was reported by Gal Goldshtein from F5 Networks who disclosed in November 2018 a similar flaw in the nginx web server software.

Microsoft has released updates to address the issue, the tech giant has implemented the ability to define thresholds on the number of HTTP/2 SETTINGS included in a request. These thresholds are not preset by Microsoft, instead, IIS administrator must define them. Microsoft published a knowledge base article to explain how to define thresholds on the number of HTTP/2 settings parameters exchanged over a connection.


__________________________________________________________________________________________

To explore more ways to stay ahead of the hackers, why not Register Free here for Cyber Security X 2019?

__________________________________________________________________________________________

View more articles here


Digital Transformation EXPO Europe 

IP EXPO
Cyber Security X
AI & Analytics X

Digital Transformation EXPO Manchester

IP EXPO
Cyber Security X
AI & Analytics X

© Copyright 2018 – Imago Techmedia | Website content is valid at the date of publishing and therefore can be subject to change

Disclaimer: Imago Techmedia is not responsible for the content of speakers and seminars, and any information and opinions shared does not necessarily reflect the views or opinions of Imago Techmedia or associated brands.

TERMS & CONDITIONS | PRIVACY & COOKIES POLICY