CVE-2024-21360 Overview
CVE-2024-21360 is a remote code execution vulnerability in the Microsoft Windows Data Access Components (WDAC) OLE DB provider for SQL Server. The flaw is classified as a heap-based buffer overflow [CWE-122] and affects supported versions of Windows 10, Windows 11, and Windows Server. An unauthenticated attacker can execute arbitrary code in the context of the calling process when a victim connects a vulnerable client to an attacker-controlled SQL Server. Successful exploitation compromises confidentiality, integrity, and availability of the targeted host.
Critical Impact
Successful exploitation allows arbitrary code execution on systems whose applications use the WDAC OLE DB provider to connect to a malicious SQL Server endpoint.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (21H2, 22H2, 23H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, and 2022 23H2
Discovery Timeline
- 2024-02-13 - CVE-2024-21360 published to the National Vulnerability Database
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-21360
Vulnerability Analysis
The vulnerability resides in the WDAC OLE DB provider for SQL Server, a database access component shipped with Windows. The component mishandles data returned from a SQL Server connection, leading to a heap-based buffer overflow [CWE-122]. An attacker who controls a malicious SQL Server can return crafted responses that corrupt heap memory in the connecting client process. The corruption can be steered toward arbitrary code execution within the user context running the vulnerable application.
The attack requires user interaction. A victim must be convinced to connect an OLE DB client, such as a custom database tool or business application, to the attacker-controlled SQL Server instance. The attack proceeds over the network without prior authentication on the target system.
Root Cause
The root cause is improper validation of the size or structure of data processed by the OLE DB provider when handling server responses. The component allocates a heap buffer based on attacker-influenced metadata and writes beyond its bounds during parsing. This grants control over adjacent heap structures and ultimately the instruction pointer of the client process.
Attack Vector
The attack vector is network-based and relies on social engineering to coerce the victim into initiating an outbound SQL Server connection. Common scenarios include phishing emails with .udl connection files, malicious database link configurations, or compromised internal hosts impersonating legitimate SQL Server endpoints. No code examples have been publicly verified for this CVE. See the Microsoft Security Update CVE-2024-21360 for technical details.
Detection Methods for CVE-2024-21360
Indicators of Compromise
- Outbound TCP connections from workstations to untrusted SQL Server endpoints on port 1433 or non-standard ports.
- Unexpected child processes spawned from applications hosting the OLE DB provider, such as excel.exe, powerbi.exe, or custom line-of-business clients.
- Crash dumps or Windows Error Reporting events referencing msdaora.dll, sqloledb.dll, or oledb32.dll with access violation exceptions.
Detection Strategies
- Hunt for OLE DB client processes loading .udl files originating from email attachments, browser downloads, or temporary directories.
- Alert on user-mode crashes inside OLE DB provider modules that coincide with outbound SQL Server traffic.
- Correlate process execution telemetry with network flow data to identify clients connecting to SQL Server instances outside the approved database inventory.
Monitoring Recommendations
- Inventory all hosts that have the WDAC OLE DB provider installed and track patch compliance against the February 2024 Microsoft security update.
- Monitor egress traffic to TCP 1433 and restrict it to authorized database server IPs using firewall or network segmentation policies.
- Log Windows Defender Application Control and AppLocker events to detect unusual loading of OLE DB libraries by non-database applications.
How to Mitigate CVE-2024-21360
Immediate Actions Required
- Apply the Microsoft February 2024 security updates to all affected Windows 10, Windows 11, and Windows Server systems.
- Identify endpoints and servers running applications that depend on the WDAC OLE DB provider and prioritize them for patching.
- Block outbound SQL Server traffic from user workstations to destinations outside the authorized database server range.
Patch Information
Microsoft released cumulative security updates addressing CVE-2024-21360 on February 13, 2024. Patches are distributed through Windows Update, WSUS, and the Microsoft Update Catalog. Refer to the Microsoft Security Update CVE-2024-21360 advisory for KB article numbers tied to each Windows version.
Workarounds
- Restrict user ability to open .udl and other database connection files received from untrusted sources via email or web downloads.
- Use host-based firewall rules to permit SQL Server connectivity only to known internal database servers.
- Educate users about phishing campaigns that lure them into connecting database clients to attacker-controlled servers.
# Configuration example: restrict outbound SQL Server traffic via Windows Firewall
New-NetFirewallRule -DisplayName "Block Untrusted SQL Server Egress" `
-Direction Outbound -Protocol TCP -RemotePort 1433 `
-RemoteAddress Any -Action Block -Profile Any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
