CVE-2024-21352 Overview
CVE-2024-21352 is a remote code execution vulnerability in the Microsoft Windows Data Access Components (WDAC) Object Linking and Embedding Database (OLE DB) provider for SQL Server. The flaw affects supported versions of Windows 10, Windows 11, and Windows Server. An unauthenticated network-based attacker can exploit the vulnerability by convincing a user to connect to a malicious SQL Server instance. Successful exploitation leads to arbitrary code execution in the context of the calling application. Microsoft tracks the underlying weakness as a numeric truncation error [CWE-197].
Critical Impact
Successful exploitation results in remote code execution on the targeted host with full confidentiality, integrity, and availability impact when a user interacts with an attacker-controlled SQL Server.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 21H2, 22H2, 23H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, and 2022 23H2
Discovery Timeline
- 2024-02-13 - CVE-2024-21352 published to the National Vulnerability Database
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-21352
Vulnerability Analysis
The vulnerability resides in the WDAC OLE DB provider for SQL Server, the component that Windows applications use to issue queries against SQL Server instances. The provider mishandles data returned from a server during query processing. An attacker who controls the server can return crafted responses that trigger a numeric truncation error and corrupt internal state in the client process. The bug requires user interaction, meaning a victim must initiate or be coerced into initiating a connection to the malicious SQL Server. Once exploited, the attacker executes arbitrary code in the security context of the user running the connecting application.
Root Cause
The root cause is a numeric truncation error [CWE-197] in the OLE DB provider's parsing of server-supplied data. When values that exceed the expected width are converted to smaller integer types, the truncated result is used to size or index buffers without revalidation. This mismatch between trusted and actual sizes produces a memory safety violation that an attacker can shape into code execution.
Attack Vector
Exploitation is network-based and requires no prior authentication, but does require user interaction. A typical scenario involves phishing a user into opening a document, link, or application that triggers an OLE DB connection to an attacker-hosted SQL Server. The malicious server returns crafted query results that exploit the truncation flaw in the client-side provider. No specific exploit code or public proof-of-concept is referenced in the advisory, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2024-21352
Indicators of Compromise
- Outbound connections from msado*.dll or oledb32.dll-linked processes to untrusted SQL Server hosts on TCP/1433 or other custom ports.
- Unexpected child processes spawned by applications that consume OLE DB, such as Office binaries, Excel, or custom line-of-business tools.
- Crash dumps or Windows Error Reporting events referencing the WDAC OLE DB provider after opening an attachment or link.
Detection Strategies
- Inspect endpoint telemetry for processes loading WDAC OLE DB libraries and subsequently initiating outbound SQL connections to non-corporate IP ranges.
- Correlate email gateway events delivering .udl, .odc, .iqy, or Office documents with subsequent SQL client traffic from the recipient host.
- Use behavioral analytics to flag user applications that perform code execution actions, such as launching cmd.exe or powershell.exe, immediately after an OLE DB session.
Monitoring Recommendations
- Forward Sysmon Event IDs 1, 3, and 7 from user workstations to a centralized analytics platform and alert on anomalous loads of OLE DB modules.
- Monitor firewall and DNS logs for SQL Server connections leaving the corporate perimeter to unsanctioned destinations.
- Track Microsoft Defender or third-party EDR detections referencing WDAC, OLE DB, or SQL client exploitation attempts.
How to Mitigate CVE-2024-21352
Immediate Actions Required
- Apply the February 2024 Microsoft security updates that remediate CVE-2024-21352 across all supported Windows client and server versions.
- Inventory hosts that have not received the February 2024 cumulative update and prioritize patching of systems used by privileged users.
- Restrict outbound TCP/1433 and other SQL Server ports at the egress firewall to known corporate database hosts only.
Patch Information
Microsoft released security updates addressing CVE-2024-21352 as part of the February 2024 Patch Tuesday release. Patch details and per-OS update packages are listed in the Microsoft Security Update Guide for CVE-2024-21352. Administrators should deploy the cumulative update relevant to each affected Windows 10, Windows 11, and Windows Server build listed in the advisory.
Workarounds
- Block outbound connections to SQL Server ports from user endpoints that do not require database access.
- Use phishing-resistant email filtering to remove attachments and links that trigger external OLE DB connections.
- Enforce application allowlisting to limit which processes can load the WDAC OLE DB provider on sensitive hosts.
# Verify the February 2024 cumulative update is installed on Windows hosts
Get-HotFix | Where-Object { $_.InstalledOn -ge [datetime]'2024-02-13' } | Sort-Object InstalledOn
# Block outbound SQL Server traffic from workstations that do not require it
New-NetFirewallRule -DisplayName "Block Outbound SQL 1433" -Direction Outbound `
-Protocol TCP -RemotePort 1433 -Action Block -Profile Any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
