CVE-2024-21428 Overview
CVE-2024-21428 is a remote code execution vulnerability in the Microsoft SQL Server Native Client OLE DB Provider. The flaw stems from an integer overflow condition [CWE-190] that attackers can trigger when a client connects to a malicious SQL Server instance. Successful exploitation allows arbitrary code execution in the context of the affected client process.
Microsoft assigned this issue a CVSS 3.1 base score of 8.8 and published the advisory on July 9, 2024. The vulnerability requires user interaction, meaning the victim must initiate a connection to an attacker-controlled server. All currently supported SQL Server releases from 2016 through 2022 are affected.
Critical Impact
Attackers who trick a user into connecting to a malicious database server can execute arbitrary code on the client system, compromising confidentiality, integrity, and availability.
Affected Products
- Microsoft SQL Server 2016 (x64)
- Microsoft SQL Server 2017 (x64)
- Microsoft SQL Server 2019 (x64)
- Microsoft SQL Server 2022 (x64)
Discovery Timeline
- 2024-07-09 - CVE-2024-21428 published to NVD
- 2024-07-09 - Microsoft releases security update for CVE-2024-21428
- 2025-01-15 - Last updated in NVD database
Technical Details for CVE-2024-21428
Vulnerability Analysis
The vulnerability resides in the SQL Server Native Client OLE DB Provider (MSOLEDBSQL), which client applications use to connect to SQL Server instances over the Tabular Data Stream (TDS) protocol. The provider mishandles size or length calculations on data returned by the server, producing an integer overflow [CWE-190]. The overflow leads to undersized buffer allocations and subsequent memory corruption during response parsing.
An attacker hosting a malicious SQL Server endpoint can craft TDS response packets that trigger the overflow on connecting clients. Because the OLE DB provider executes within the client application's process space, successful exploitation yields code execution at the privilege level of that process. The EPSS score for this CVE is 2.402% (85th percentile), reflecting elevated likelihood of exploitation activity relative to the average CVE.
Root Cause
The defect is an integer overflow during input length handling in the OLE DB provider's data parsing routines. When server-supplied size fields are multiplied or added without proper bounds checking, the result wraps around, causing the provider to allocate smaller buffers than required. Subsequent writes overflow these buffers and corrupt adjacent memory structures, including function pointers and control-flow data.
Attack Vector
Exploitation is network-based but requires user interaction. The attacker must convince a user, through phishing or a malicious application, to initiate an OLE DB connection to a server under attacker control. Common vectors include linked-server queries, Excel data import features, and custom applications that consume MSOLEDBSQL connection strings. Once the connection handshake completes, the attacker server returns malformed TDS responses that trigger memory corruption inside the victim's client process.
No public proof-of-concept code is available and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog. Refer to the Microsoft Security Update CVE-2024-21428 advisory for additional technical detail.
Detection Methods for CVE-2024-21428
Indicators of Compromise
- Outbound TCP connections from end-user workstations to unfamiliar SQL Server hosts on port 1433 or other TDS ports.
- Unexpected child processes spawned by Office applications, Excel, SSMS, or custom apps that load msoledbsql.dll.
- Crash events referencing msoledbsql.dll or sqlncli11.dll in the Windows Application event log.
- Anomalous memory allocations or heap corruption telemetry within processes hosting the OLE DB provider.
Detection Strategies
- Inventory endpoints loading msoledbsql.dll and correlate destination IPs against threat intelligence feeds for malicious SQL endpoints.
- Monitor for TDS connections from non-database hosts to external or non-corporate IP ranges, which indicates user-initiated rogue connections.
- Hunt for process-injection or shellcode patterns inside applications that legitimately use OLE DB but should not spawn shells or scripting interpreters.
Monitoring Recommendations
- Enable Windows Defender Exploit Guard or equivalent memory-protection telemetry on workstations running SQL client tooling.
- Forward Sysmon Event ID 7 (image loaded) data for msoledbsql.dll and Event ID 1 (process create) to a centralized logging platform for correlation.
- Alert on TDS protocol traffic destined for IP addresses outside the approved database server inventory.
How to Mitigate CVE-2024-21428
Immediate Actions Required
- Apply the Microsoft security update for CVE-2024-21428 to all SQL Server 2016, 2017, 2019, and 2022 deployments and client installations of the OLE DB Driver for SQL Server.
- Update the standalone MSOLEDBSQL driver on every workstation that connects to SQL Server, including developer machines and analytics clients.
- Audit applications and Excel workbooks for hardcoded connection strings pointing to untrusted servers and remove them.
Patch Information
Microsoft published the official fix on July 9, 2024. Customers should download and deploy the cumulative update referenced in the Microsoft Security Update CVE-2024-21428 advisory. Both server-side SQL Server installations and standalone OLE DB Driver redistributables require updating.
Workarounds
- Block outbound TCP port 1433 and other TDS ports at the perimeter except to approved internal database servers.
- Restrict end-user permissions to create ad-hoc database connections via Group Policy and application allowlisting.
- Disable or remove the legacy SQL Server Native Client (SQLNCLI11) on systems that do not require it, since it shares the affected code paths.
# Configuration example: block outbound TDS on Windows endpoints
New-NetFirewallRule -DisplayName "Block Outbound TDS to External" `
-Direction Outbound -Action Block -Protocol TCP -RemotePort 1433 `
-RemoteAddress Internet -Profile Any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
