CVE-2024-21350 Overview
CVE-2024-21350 is a remote code execution vulnerability in the Microsoft Windows Data Access Components (WDAC) OLE DB provider for SQL Server. The flaw is rooted in an integer overflow condition [CWE-190] within the data access provider. An attacker can convince a victim to connect to a malicious SQL Server instance, triggering the overflow and enabling arbitrary code execution in the context of the connecting user. The vulnerability affects supported releases of Windows 10, Windows 11, and Windows Server, including Server 2008 through Server 2022 23H2.
Critical Impact
Successful exploitation allows attackers to execute arbitrary code on a victim system after the user initiates a connection to an attacker-controlled SQL Server, compromising confidentiality, integrity, and availability.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (21H2, 22H2, 23H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, and 2022 23H2
Discovery Timeline
- 2024-02-13 - Microsoft publishes advisory and patch as part of Patch Tuesday
- 2024-02-13 - CVE-2024-21350 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-21350
Vulnerability Analysis
The vulnerability lives in the WDAC OLE DB provider for SQL Server, a client-side component used by Windows applications to communicate with SQL Server. The provider processes responses returned by a SQL Server during connection and query operations. An integer overflow [CWE-190] occurs when the provider handles malformed or maliciously sized data structures from a remote server. The overflow corrupts internal length calculations, leading to memory corruption that an attacker can shape into arbitrary code execution in the user-mode process consuming the provider.
The flaw requires user interaction. A victim must initiate or accept a connection from an application that uses the affected OLE DB provider against an attacker-controlled SQL Server endpoint. No prior authentication on the victim system is required from the attacker's side.
Root Cause
The root cause is improper validation of size or length values used in arithmetic operations during response parsing. When attacker-controlled values cause an arithmetic wrap, downstream buffer allocations and copies operate on undersized buffers, producing exploitable memory corruption.
Attack Vector
The attack vector is network based with required user interaction. A typical exploitation path involves social engineering a user into opening a database client, BI tool, or Office document with a data connection that targets a malicious SQL Server hosted by the attacker. Once the connection negotiation begins, the malicious server returns crafted data that triggers the overflow in the client-side provider. The vulnerability is described in prose only; no public proof-of-concept code is available and the issue is not listed in CISA KEV.
Detection Methods for CVE-2024-21350
Indicators of Compromise
- Outbound connections from workstations or servers to untrusted SQL Server endpoints over TCP port 1433 or custom SQL Server ports.
- Unexpected child processes or shell activity spawned by applications that load msoledbsql.dll, oledb32.dll, or other WDAC OLE DB modules.
- Crashes or abnormal termination of database client processes immediately followed by suspicious in-process activity.
Detection Strategies
- Hunt for processes loading WDAC OLE DB provider DLLs that subsequently spawn cmd.exe, powershell.exe, or rundll32.exe.
- Inspect EDR telemetry for memory protection changes (RWX allocations) inside processes hosting OLE DB connections.
- Correlate network telemetry for SQL Server traffic to non-corporate or newly registered domains and IP ranges.
Monitoring Recommendations
- Enable PowerShell and process command-line logging on workstations that perform ad-hoc database connectivity.
- Forward Sysmon Event IDs 1, 7, and 10 to a central SIEM and alert on OLE DB module loads from atypical parents.
- Restrict and monitor outbound SQL Server protocol traffic at the perimeter using egress filtering.
How to Mitigate CVE-2024-21350
Immediate Actions Required
- Apply Microsoft's February 2024 security updates to all affected Windows 10, Windows 11, and Windows Server systems.
- Inventory endpoints and servers that use OLE DB based connectivity to SQL Server and prioritize them for patching.
- Warn users against opening database connections, Excel data sources, or BI dashboards that point to untrusted SQL Server hosts.
Patch Information
Microsoft released fixes for CVE-2024-21350 on February 13, 2024. Refer to the Microsoft Security Update Guide for the specific KB articles applicable to each Windows build. Install the cumulative update that corresponds to the operating system version in use.
Workarounds
- Block outbound TCP 1433 and other SQL Server ports to untrusted destinations at the firewall.
- Use application allowlisting to prevent unapproved database clients from executing on end-user systems.
- Enforce least privilege so that any successful exploit runs in a low-privileged user context rather than an administrative one.
# Verify the February 2024 cumulative update is installed on Windows
wmic qfe list brief /format:table | findstr /i "KB503"
# Block outbound SQL Server traffic to non-corporate destinations (example)
New-NetFirewallRule -DisplayName "Block Outbound SQL 1433" -Direction Outbound -Protocol TCP -RemotePort 1433 -Action Block -RemoteAddress Internet
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
