Windows servers are vulnerable to DoS attacks of IIS resource depletion

Windows IIS
Microsoft issued a security advisory which reveals that Windows Server and Windows 10 servers running Internet Information Services (IIS) are vulnerable to denial of service (DOS) attacks.
To be more exact, all IIS servers running Windows Server 2016, Windows Server version 1709, Windows Server version 1803, as well as Windows 10 (versions 1607, 1703, 1709 and 1803) are affected by this DoS problem.
The vulnerability described in Microsoft's ADV190005 security warning makes it possible for a potential remote attacker to activate a DoS condition by taking advantage of an IIS resource depletion error that "could cause the system's CPU usage to increase to 100% until it is eliminate malicious connections through IIS. " Malicious actors can launch DoS attacks against vulnerable Windows servers by sending HTTP / 2 requests created for malicious purposes.
Microsoft indicates in the notice that there are no known solutions or solutions for the vulnerability notified by Gal Goldshtein of F5 Networks , and recommends that all users install security updates, for the systems listed in the table below.
Product                                                                               Notice
Windows 10 Version 1607 for 32-bit Systems                       4487006
Windows 10 Version 1607 for x64-based Systems               4487006
Windows 10 Version 1703 for 32-bit Systems                       4487011
Windows 10 Version 1703 for x64-based Systems               4487011
Windows 10 Version 1709 for 32-bit Systems                       4487021
Windows 10 Version 1709 for 64-based Systems                 4487021 
Windows 10 Version 1709 for ARM64-based Systems         4487021 
Windows 10 Version 1803 for 32-bit Systems                       4487029 
Windows 10 Version 1803 for ARM64-based Systems         4487029 
Windows 10 Version 1803 for x64-based Systems               4487029
Windows Server 2016                                                           4487006
Windows Server 2016 (Server Core installation)                  4487006 
Windows Server, version 1709 (Server Core Installation)    4487021
Windows Server, version 1803 (Server Core Installation)    4487029

As detailed by Microsoft in its security notice ADV190005:
The HTTP/2 specification allows clients to specify any number of SETTINGS frames 
with any number of SETTINGS parameters. In some situations, excessive settings can 
cause services to become unstable and may result in a temporary CPU usage spike until 
the connection timeout is reached and the connection is closed.
As a mitigation measure, the Redmond security team "added the ability to define thresholds in the amount of HTTP / 2 CONFIGURATIONS included in a request", the threshold levels that IIS administrators must configure after assessing their environment. systems and HTTP / 2 Protocol requirements, since they will not be preconfigured by Microsoft.

To set these limits, Microsoft added the following registry entries in the vulnerable versions of Windows 10:
Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Name: Http2MaxSettingsPerFrame
Type: DWORD
Data: Supported min value 7 and max 2796202. Out of range values trimmed to corresponding min/max end value.

Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Name: Http2MaxSettingsPerMinute
Type: DWORD
Data: Supported min value 7. Smaller value trimmed to the min value. 
Once the thresholds are set on a Windows system running IIS, the connections will be removed immediately:
If a single configuration frame contains more configuration parameters than the value "Http2MaxSettingsPerFrame" 
If the number of configuration parameters contained in multiple configuration frames received in a minute crosses the value "Http2MaxSettingsPerMinute" 
It is also important to note that, according to Microsoft , a restart of the service or a restart of the server may be necessary for the newly added registry values ​​to be read.
Windows servers that are running have been previously exploited by attackers with the help of a zero day in IIS 6.0 that affects the WebDAV service included by default in all IIS distributions, between July 2016 and March 2017.
Share To:

Hackerbrother

Post A Comment:

0 comments so far,add yours