-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2026-022 Product: Internet Information Services (IIS) on Windows Server 2025 Manufacturer: Microsoft Corporation Affected Version(s): All versions since release Tested Version(s): 26100.1.amd64fre.ge_release.240331-1435 and 26100.32230.amd64fre.lt_release_svc_prod1.260110-0031 Vulnerability Type: Asymmetric Resource Consumption (Amplification) (CWE-405) Risk Level: Rated by Microsoft as moderate, since the attack requires open connections Solution Status: Open Manufacturer Notification: 2026-02-12 Solution Date: 2026-09 Public Disclosure: 2026-05-04 CVE Reference: MSRC does not track moderate vulnerabilities No CVE number will be assigned Author of Advisory: Dennis Kurz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Internet Information Services (IIS) is Microsoft's web server. The manufacturer describes the product as follows (see [1]): "Internet Information Services (IIS) for Windows Server® is a flexible, secure and manageable Web server for hosting anything on the Web. - From media streaming to web applications, IIS's scalable and open architecture is ready to handle the most demanding tasks." Due to asymmetric resource consumption, IIS is vulnerable to denial-of- service (DoS) attacks using the HTTP Range header. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: A DoS vulnerability exists in Windows Server 2025's IIS due to excessive memory consumption when processing HTTP requests with multiple Range headers. The attack exploits a flaw in the 'HTTP.sys' kernel module that reserves about 20 times the normal amount of non-paged RAM per open connection when processing requests containing multiple overlapping byte ranges. By creating many concurrent connections and keeping these alive, a DoS can be achieved. Using the vulnerability, 16 GB of RAM will be used up by 5,000 connections. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Creating connections The following shortened HTTP request was used for the proof of concept: GET /script.js HTTP/1.1 Host: SySS.de Range: bytes=0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-[--shortened--],0- The number of overlapping ranges is limited by the maximum request size defined in the IIS configuration. The default value is 16,384 bytes and only includes the headers without the body of the request. 2. Connection keep-alive The most important step to prevent the server from recovering is keeping the connections alive. To reduce the used bandwidth by this attack, a combination of delayed reading of the response and a reduction in the receive buffer on the attacker side was used. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Currently, no patch is available. The vulnerability will be fixed in a regular update for Windows Server in September, 2026. Possible remediations until September include the following: 1. Block requests with multiple ranges This can be done using IIS URL rewrite or any other module that allows defining rules based on request headers. 2. Concurrent connection limits Restrict the concurrent connections based on the IP or IP range. However, this remediation has multiple problems: The server can still be targeted by distributed DoS attacks. In addition, it could lead to problems with networks that use NAT. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2026-01-12: Vulnerability discovered 2026-02-12: Vulnerability reported to Microsoft 2026-03-09: Asked for a status update and received the information that it was rated as moderate 2026-05-04: Public disclosure of vulnerability 2026-09: Patch released by manufacturer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Internet Information Services (IIS) https://www.iis.net/overview [2] SySS Security Advisory SYSS-2026-022 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2026-022.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dennis Kurz of SySS GmbH. E-Mail: dennis.kurz@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Dennis_Kurz.asc Key ID: 0x75CC91B4103E513B Key Fingerprint: 0B17 953A 516B B560 C4F7 8EB1 75CC 91B4 103E 513B ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEECxeVOlFrtWDE946xdcyRtBA+UTsFAmn1pDkACgkQdcyRtBA+ UTs2tQ/+PDYFduoDLfAbjSVo9VD2gAuErbUdRfOijWmL1g1jPVR6aoq1SfKyWJq9 1UQT/W0wQE29F9YqX2Yie/x60o+rjd4ef+C1qOANJeYob6rSNaUNdahGrDZkPT2N soRt/jPxbYWOiR7brSry3nK2tFIaS1U2LHVtxvgOXaeNmTHZrRivHN9bake5M/KC eSSa2sPlkQ3e0BPz//25ijxatqHK80FJWtm//GhkMyoYke8WydwINxgZ8EYVFpn3 5yqngbq9kYV4NcrvMgba+xT805COjZGnbDCaSZSCtG3fe6P6/x2g+uJUCn4l/bph yRD+O9/fJI+CJVFzgQN1ovicNh8EwYwzxSoJKsvCxOPfW9eTAk/nyRI9JeH3zlfE ztqPDdSriyW2Lleu8tlAnXknt534AIVgCYdH3gkENIReN7H78FJFNq2xioNG0tZq Vq5PhUQgzTf7uqxOXL6aTZcmyOb1g7JR0zjiYsrn+lW9esBZcPRPCDV6muT2ZPk+ nKkRElBQsRewYIn3qpG9C1sj0AKlZTWg5Wgv1jb27GmyEGECLpOa/zfdOEeEj23B LEwVaO8mfpFKR05ZTbGfGvs67uTY0KGhQsUdLWv5Dy34/7k2s20Eu2HRzaCI9aoc BPRV1Uen6T3WFq0opvA4lF34aMfE3y7UM+Rn8MJPtQ/1ko1Q/+0= =rrnb -----END PGP SIGNATURE-----