AnsweredAssumed Answered

HTTP/2 DoS - QID 91566

Question asked by Jordan Greene on Dec 16, 2019
Latest reply on Dec 23, 2019 by Chalky_White

Qualys released a new QID last week, QID 91566, for an HTTP/2 Denial of Service vulnerability. It appears this is the latest vulnerability addressed by Microsoft that requires both a patch and a registry key to be deployed. The patch is easy, it's the monthly roll-up patch that we're all pushing anyway. That creates the required references to the new registry keys, but the guidance on the values is severely lacking. Here's what MS has:

 

After I install the HTTP/2 updates, is there anything else I need to do to be protected from this vulnerability?

Yes. The update adds configuration settings to the IIS server, but these settings are turned off by default. To be fully protected from the vulnerabilities, an administrator needs to configure their server to limit the number of HTTP/2 packets accepted. This can vary based on the environment and services running on each server.

Connection-specific setting

  1. Click Start, click Run, type Regedit in the Open box, and then click OK.
  2. Locate and then click the following registry subkey: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  3. Set DWORD type value Http2MaxPingsPerMinute:
    • Range between 0 and 0xFF
    • This sets the maximum number of pings per minute a client can send to the server
  4. Exit Registry Editor.
  5. Restart the computer.

Stream-specific settings

  1. Click Start, click Run, type Regedit in the Open box, and then click OK.
  2. Locate and then click the following registry subkey: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  3. Set DWORD type values for any of the following keys:
    • Http2MaxServerResetsPerMinute
      • Range between 0 and 0xFFFF
      • This sets the maximum number of requests per minute from a client that can generate server reset frames
    • Http2MaxPrioritiesPerStream
      • Range between 0 and 0xFF
      • This sets the maximum number of priority frames per minute a client can send to the server
    • Http2MaxResetsPerStream
      • Range between 0 and 0xFF
      • This sets the maximum number of reset frames per minute a client can send to the server
    • Http2MaxUnknownsPerStream
      • Range between 0 and 0xFF
      • This sets the maximum number of unknown frames per minute a client can send to the server
    • Http2MaxWindowUpdatesPerSend
      • Range between 0 and 0xFF
      • This sets the maximum number of window update frames per minute a client can send to the server
    • Http2MinimumSendWindowSize
      • Range between 0 and 0xFFFF
      • This sets the minimum send window size for data frames
  4. Exit Registry Editor.
  5. Restart the computer.

So we need to determine the appropriate value for our environment for each of those keys. I'm sure I'm not the only one that is missing an attribute in CMDB that defines the required number of frames for each application. Are we all just going to end up setting these keys to 0xFF (or 0xFFFF) just to be on the safe side? Pretty sure that significantly reduces the efficacy of the fix. Do you set a value of 50% and hope that doesn't break half of your apps?

 

Given the time of year I doubt we're going to do anything substantive around this before 2020, but I'd like to use this time to get a better understanding of where other people's minds are at on appropriate settings for these keys.

Outcomes