CVE-2024-21359 Overview
CVE-2024-21359 is a remote code execution vulnerability in the Microsoft Windows Data Access Components (WDAC) OLE DB provider for SQL Server. The flaw is classified as a heap-based buffer overflow [CWE-122] and affects supported versions of Windows 10, Windows 11, and Windows Server. Exploitation requires an authenticated user to connect to a malicious SQL Server through the OLE DB provider, allowing the attacker to execute arbitrary code in the context of the user.
Critical Impact
Successful exploitation allows attackers to execute arbitrary code on a victim system over the network when a user is convinced to connect to an attacker-controlled SQL Server, leading to full compromise of confidentiality, integrity, and availability.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 21H2, 22H2, 23H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, and Server 2022 23H2
Discovery Timeline
- 2024-02-13 - CVE-2024-21359 published to NVD and security update released by Microsoft
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-21359
Vulnerability Analysis
The vulnerability resides in the WDAC OLE DB provider for SQL Server, the data-access component Windows applications use to communicate with SQL Server databases. The flaw is a heap-based buffer overflow that occurs when the client-side OLE DB provider parses crafted response data returned by a SQL Server endpoint. An attacker who controls a malicious SQL Server can send specially crafted network packets that overflow a heap buffer in the client process. The corrupted memory enables arbitrary code execution within the security context of the connecting user.
Root Cause
The root cause is improper validation of length or structural fields in SQL Server response data before copying them into a fixed-size heap allocation. This [CWE-122] heap-based buffer overflow allows adjacent heap structures and metadata to be overwritten, providing primitives for code execution.
Attack Vector
Exploitation is network-based but requires user interaction. The attacker must convince an authenticated user, typically through phishing or a malicious link, to initiate a connection from a vulnerable Windows host to an attacker-controlled SQL Server. Once the connection is established, the malicious server returns crafted responses that trigger the overflow in the OLE DB provider on the client. No prior privileges on the target are required, but the user must take an action to initiate the connection.
No verified public proof-of-concept code is available. Refer to the Microsoft Security Advisory CVE-2024-21359 for vendor technical details.
Detection Methods for CVE-2024-21359
Indicators of Compromise
- Outbound TCP connections from end-user workstations to unexpected SQL Server endpoints, particularly on port 1433 to untrusted external IP addresses.
- Unexpected child processes spawned by msado15.dll, sqloledb.dll, or applications that use the OLE DB provider.
- Crash dumps or Windows Error Reporting events referencing heap corruption in OLE DB or WDAC components.
Detection Strategies
- Monitor process telemetry for applications loading the WDAC OLE DB provider and subsequently spawning shells, scripting engines, or LOLBins.
- Inspect EDR memory-protection events flagging heap corruption or exception handler abuse inside OLE DB client modules.
- Correlate phishing email indicators with subsequent SQL client connections to untrusted external hosts.
Monitoring Recommendations
- Alert on outbound SQL Server protocol (TDS) traffic egressing to non-corporate networks.
- Audit installed Windows updates to confirm the February 2024 security rollup is applied across the fleet.
- Track command-line arguments invoking tools such as sqlcmd.exe, osql.exe, or PowerShell Invoke-Sqlcmd against external hosts.
How to Mitigate CVE-2024-21359
Immediate Actions Required
- Apply the February 2024 Microsoft security updates to all affected Windows client and server systems.
- Identify hosts where WDAC and the OLE DB provider for SQL Server are present and prioritize patching.
- Educate users about phishing lures that attempt to make them connect to external SQL Server instances.
Patch Information
Microsoft released security updates addressing CVE-2024-21359 on February 13, 2024. Patch availability and KB article identifiers per Windows version are listed in the Microsoft Security Advisory CVE-2024-21359. Apply the cumulative update corresponding to each affected operating system build.
Workarounds
- Block outbound TCP 1433 and other SQL Server protocol ports from user workstations to untrusted networks at the perimeter firewall.
- Restrict execution of database client applications on endpoints that do not require SQL connectivity.
- Enforce least privilege so that any successful code execution runs in a low-privilege user context rather than as an administrator.
# Example: Windows Defender Firewall rule to block outbound TDS traffic to non-corporate networks
New-NetFirewallRule -DisplayName "Block Outbound SQL (TDS) to Internet" `
-Direction Outbound -Action Block -Protocol TCP -RemotePort 1433 `
-RemoteAddress Internet -Profile Any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
