CVE-2024-21367 Overview
CVE-2024-21367 is a remote code execution vulnerability in the Microsoft Windows Data Access Components (WDAC) OLE DB provider for SQL Server. The flaw allows a network-based attacker to execute arbitrary code on a target system when a user is convinced to connect to an attacker-controlled SQL Server. Microsoft classifies the issue as a heap-based buffer overflow [CWE-122] in the OLE DB client driver. The vulnerability affects supported releases of Windows 10, Windows 11, and Windows Server, including Server 2008 through Server 2022 23H2.
Critical Impact
Successful exploitation grants the attacker code execution in the context of the user running the vulnerable client, with high impact to confidentiality, integrity, and availability.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 21H2, 22H2, 23H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, and 2022 23H2
Discovery Timeline
- 2024-02-13 - CVE-2024-21367 published to NVD and addressed in Microsoft's February 2024 Patch Tuesday
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-21367
Vulnerability Analysis
The vulnerability resides in the WDAC OLE DB provider for SQL Server, the client-side database access driver shipped with Windows. The driver mishandles structured data returned from a SQL Server, producing a heap-based buffer overflow [CWE-122] in the client process. Exploitation requires user interaction: a victim must initiate a connection from a vulnerable client to a SQL Server controlled by the attacker. Because the attack targets the client, an internal database server is not required for compromise. The EPSS probability for this CVE is approximately 1.9%, placing it in the 83rd percentile of vulnerabilities by predicted exploitation likelihood.
Root Cause
The root cause is improper bounds checking when the OLE DB provider parses server-side response packets in the Tabular Data Stream (TDS) protocol. Malformed length or type fields cause the driver to write past the bounds of a heap buffer, corrupting adjacent memory structures used by the client process.
Attack Vector
An attacker stands up a malicious SQL Server endpoint and lures a victim into connecting to it through phishing, a crafted document, or an application that initiates outbound database connections. When the client uses MSOLEDBSQL or SQLOLEDB to connect, the attacker returns a crafted TDS response that triggers the overflow and executes code in the context of the victim user.
No verified public proof-of-concept code is available for this issue. See the Microsoft Security Update Guide entry for CVE-2024-21367 for vendor technical details.
Detection Methods for CVE-2024-21367
Indicators of Compromise
- Outbound TCP connections from end-user workstations or application servers to untrusted SQL Server endpoints on port 1433 or non-standard SQL ports
- Unexpected child processes spawned by applications that load msoledbsql.dll or sqloledb.dll
- Crash reports or Windows Error Reporting events referencing the OLE DB provider modules
Detection Strategies
- Inspect process telemetry for modules msoledbsql.dll and sqloledb.dll loaded by user-facing processes such as Office applications, browsers, or scripting hosts
- Alert when processes that load OLE DB providers spawn shell interpreters such as cmd.exe, powershell.exe, or rundll32.exe
- Correlate outbound TDS traffic with the initiating process and user identity to surface connections to attacker-controlled servers
Monitoring Recommendations
- Log and review egress connections to TCP/1433 and other SQL Server ports from segments where outbound database traffic is not expected
- Monitor for application crashes referencing heap corruption inside OLE DB provider modules
- Track patch state for the February 2024 cumulative update across all Windows endpoints and servers
How to Mitigate CVE-2024-21367
Immediate Actions Required
- Apply the February 2024 Microsoft security update that addresses CVE-2024-21367 to all affected Windows clients and servers
- Identify hosts that contain msoledbsql.dll or sqloledb.dll and prioritize patching for endpoints used by privileged users and developers
- Restrict outbound TCP/1433 and SQL Server traffic at the perimeter so end-user workstations cannot reach arbitrary external SQL Servers
Patch Information
Microsoft released fixes through the February 2024 Patch Tuesday cycle. Refer to the Microsoft Security Update Guide for CVE-2024-21367 for the specific KB articles and updated package versions for each affected Windows release.
Workarounds
- Block outbound connections to SQL Server ports from user workstations using host or network firewalls until patching is complete
- Educate users to avoid opening documents or links that initiate database connections to untrusted hosts
- Disable or remove the OLE DB provider on systems that do not require SQL Server client connectivity
# Block outbound SQL Server traffic from a Windows client as a temporary mitigation
New-NetFirewallRule -DisplayName "Block Outbound SQL 1433" -Direction Outbound -Protocol TCP -RemotePort 1433 -Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
