CVE-2024-21365 Overview
CVE-2024-21365 is a remote code execution vulnerability in the Microsoft Windows Data Access Components (WDAC) OLE DB provider for SQL Server. The flaw is rooted in a heap-based buffer overflow ([CWE-122]) within the provider component and allows an unauthenticated network attacker to execute arbitrary code on a vulnerable system. Exploitation requires user interaction, typically by convincing a target to connect to an attacker-controlled SQL Server instance. Microsoft published the advisory on February 13, 2024, covering all supported releases of Windows 10, Windows 11, and Windows Server.
Critical Impact
Successful exploitation grants the attacker full confidentiality, integrity, and availability impact on the target host, enabling arbitrary code execution in the context of the calling application.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (21H2, 22H2, 23H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, and 2022 23H2
Discovery Timeline
- 2024-02-13 - CVE-2024-21365 published to the National Vulnerability Database
- 2024-02-13 - Microsoft releases security update addressing the vulnerability
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-21365
Vulnerability Analysis
The vulnerability resides in the Microsoft WDAC OLE DB provider for SQL Server, the client-side library that Windows applications use to connect to and query SQL Server databases. A heap-based buffer overflow ([CWE-122]) occurs when the provider processes malformed response data returned from a SQL Server endpoint. An attacker who controls the server side of the connection can craft network traffic that overruns a heap buffer in the client process, corrupting adjacent memory.
The attack chain typically requires the attacker to host a malicious SQL Server instance and lure a victim into initiating a connection from a client application that loads the WDAC OLE DB provider. Because the provider executes within the calling application, successful exploitation yields code execution with the privileges of that process.
The EPSS score is 1.92% with a percentile of 83.667, indicating an elevated exploitation likelihood relative to most CVEs. No public proof-of-concept exploit or CISA KEV entry exists at the time of writing.
Root Cause
The root cause is improper validation of attacker-controlled length or structural fields in SQL Server protocol responses parsed by the OLE DB provider. The provider allocates a fixed-size heap buffer based on assumed input bounds and then copies data without enforcing those bounds, leading to a heap overflow that overwrites adjacent allocations.
Attack Vector
The attack vector is network-based but requires user interaction. A typical scenario involves an attacker sending a phishing message containing a connection string, ODBC data source, or document that triggers the victim's application to open a database connection to an attacker-controlled host. Once the client connects, the malicious server returns a crafted response that triggers the overflow. Refer to the Microsoft Security Update CVE-2024-21365 advisory for protocol-level details.
Detection Methods for CVE-2024-21365
Indicators of Compromise
- Outbound TCP connections from client workstations to untrusted external SQL Server endpoints, particularly on port 1433 or non-standard SQL ports.
- Unexpected child processes spawned by applications that load msoledbsql.dll or sqloledb.dll, such as Office, Power BI, or custom line-of-business tools.
- Application crashes referencing the OLE DB provider modules in Windows Error Reporting or WER dumps.
Detection Strategies
- Hunt for processes loading the WDAC OLE DB provider DLLs followed by anomalous behavior such as shell execution, LOLBin invocation, or unexpected network egress.
- Correlate user-initiated document opens with subsequent outbound SQL traffic to internet-facing IP addresses.
- Inspect EDR telemetry for heap corruption signatures and exception events within msoledbsql.dll or oledb32.dll.
Monitoring Recommendations
- Restrict and log outbound TCP traffic to SQL Server ports at the perimeter and alert on connections to non-corporate destinations.
- Enable PowerShell, Office, and process-creation auditing to capture the parent-child chain leading to OLE DB provider use.
- Forward Windows Error Reporting events and crash dumps for OLE DB-related faults to a centralized monitoring pipeline.
How to Mitigate CVE-2024-21365
Immediate Actions Required
- Apply the February 2024 Microsoft security updates to all Windows 10, Windows 11, and Windows Server systems listed in the advisory.
- Inventory endpoints with msoledbsql.dll or sqloledb.dll deployed and prioritize patching for workstations that handle external data sources.
- Block outbound connections to untrusted SQL Server destinations at egress firewalls and proxies.
- Train users to avoid opening database connection files (.udl, .odc, .iqy) received from untrusted sources.
Patch Information
Microsoft released the official fix on February 13, 2024 through the monthly security update channel. Administrators should consult the Microsoft Security Update CVE-2024-21365 advisory for the KB numbers applicable to each affected Windows build and deploy them via Windows Update, WSUS, or Microsoft Update Catalog.
Workarounds
- Where patching is delayed, block TCP traffic to external SQL Server endpoints using host or perimeter firewall rules.
- Disable or remove unused ODBC and OLE DB data sources from endpoints to reduce the exposed attack surface.
- Enforce application allowlisting to prevent untrusted processes from loading the WDAC OLE DB provider.
# Example Windows Firewall rule to block outbound SQL traffic to non-corporate networks
netsh advfirewall firewall add rule name="Block Outbound SQL 1433" \
dir=out action=block protocol=TCP remoteport=1433 \
remoteip=!10.0.0.0/8,!172.16.0.0/12,!192.168.0.0/16
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
