Описание
HTTP/2 Server Denial of Service Vulnerability
A denial of service vulnerability exists in the HTTP/2 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP/2 requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive.
To exploit this vulnerability, an unauthenticated attacker could send a specially crafted HTTP packet to a target system, causing the affected system to become nonresponsive.
The update addresses the vulnerability by modifying how the Windows HTTP protocol stack handles HTTP/2 requests. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate user rights.
Обходное решение
The following workaround may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave this workaround in place:
Disable the HTTP/2 protocol on your web server by using the Registry Editor
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
- Click Start, click Run, type Regedit in the Open box, and then click OK.
- Locate and then click the following registry subkey:
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
- Set DWORD type values EnableHttp2TIs and EnableHttp2Cleartext to one of the following:
- Set to 0 to disable HTTP/2
- Set to 1 to enable HTTP/2
- Exit Registry Editor.
- Restart the computer.
FAQ
After I install the HTTP/2 updates, is there anything else I need to do to be protected from this vulnerability?
Yes. The update adds configuration settings to the IIS server, but these settings are turned off by default. To be fully protected from the vulnerabilities, an administrator needs to configure their server to limit the number of HTTP/2 packets accepted. This can vary based on the environment and services running on each server.
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
Connection-specific setting
- Click Start, click Run, type Regedit in the Open box, and then click OK.
- Locate and then click the following registry subkey:
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters - Set DWORD type value Http2MaxPingsPerMinute:
- Range between 0 and 0xFF
- This sets the maximum number of pings per minute a client can send to the server
- Exit Registry Editor.
- Restart the computer.
Stream-specific settings
- Click Start, click Run, type Regedit in the Open box, and then click OK.
- Locate and then click the following registry subkey:
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters - Set DWORD type values for any of the following keys:
- Http2MaxServerResetsPerMinute
- Range between 0 and 0xFFFF
- This sets the maximum number of requests per minute from a client that can generate server reset frames
- Http2MaxPrioritiesPerStream
- Range between 0 and 0xFF
- This sets the maximum number of priority frames per minute a client can send to the server
- Http2MaxResetsPerStream
- Range between 0 and 0xFF
- This sets the maximum number of reset frames per minute a client can send to the server
- Http2MaxUnknownsPerStream
- Range between 0 and 0xFF
- This sets the maximum number of unknown frames per minute a client can send to the server
- Http2MaxWindowUpdatesPerSend
- Range between 0 and 0xFF
- This sets the maximum number of window update frames per minute a client can send to the server
- Http2MinimumSendWindowSize
- Range between 0 and 0xFFFF
- This sets the minimum send window size for data frames
- Http2MaxServerResetsPerMinute
- Exit Registry Editor.
- Restart the computer.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Windows 10 for 32-bit Systems | ||
| Windows 10 for x64-based Systems | ||
| Windows Server 2016 | ||
| Windows 10 Version 1607 for 32-bit Systems | ||
| Windows 10 Version 1607 for x64-based Systems | ||
| Windows Server 2016 (Server Core installation) | ||
| Windows 10 Version 1703 for 32-bit Systems | ||
| Windows 10 Version 1703 for x64-based Systems | ||
| Windows 10 Version 1709 for 32-bit Systems | ||
| Windows 10 Version 1709 for x64-based Systems |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
DOS
EPSS
7.5 High
CVSS3
Связанные уязвимости
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
Some HTTP/2 implementations are vulnerable to a reset flood, potential ...
golang.org/x/net/http vulnerable to a reset flood
EPSS
7.5 High
CVSS3