CVE-2024-21450: Windows 10 1507 WDAC SQL Server RCE Flaw

CVE-2024-21450 Overview

CVE-2024-21450 is a remote code execution vulnerability in the Microsoft Windows Data Access Components (WDAC) OLE DB provider for SQL Server. The flaw stems from an integer overflow condition [CWE-190] in the provider's handling of network-supplied data from a malicious SQL Server. An attacker who controls a SQL Server instance can execute arbitrary code on a client system once a user is convinced to initiate a connection. Microsoft addressed the issue across all supported versions of Windows 10, Windows 11, and Windows Server in the March 2024 Patch Tuesday release.

Critical Impact

Successful exploitation grants the attacker the ability to execute code in the context of the connecting user, leading to full compromise of confidentiality, integrity, and availability on the targeted host.

Affected Products

• Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
• Microsoft Windows 11 (21H2, 22H2, 23H2)
• Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, and 2022 23H2

Discovery Timeline

• 2024-03-12 - CVE-2024-21450 published to NVD and Microsoft releases security patch
• 2024-12-05 - Last updated in NVD database

Technical Details for CVE-2024-21450

Vulnerability Analysis

The vulnerability resides in the OLE DB provider for SQL Server, a component shipped with the Windows Data Access Components stack (msoledbsql / sqloledb). When a client application connects to a SQL Server using the OLE DB provider, the provider parses Tabular Data Stream (TDS) responses returned by the server. The vulnerable code path performs arithmetic on attacker-controlled length or size fields without sufficient bounds checking, producing an integer overflow [CWE-190].

The overflow causes an undersized buffer allocation followed by a larger memory copy, corrupting adjacent heap memory. An attacker who hosts a malicious SQL Server can craft TDS responses that drive the overflowed allocation toward attacker-controlled values. The result is heap-based memory corruption that can be steered to control program flow and execute code in the context of the client process.

Root Cause

The root cause is improper validation of numeric values used in buffer sizing during response parsing. Arithmetic operations on length fields wrap around the 32-bit boundary, producing a small allocation that is then filled with the full untrusted payload from the server.

Attack Vector

Exploitation requires user interaction. An attacker must convince an authenticated user to connect to a malicious SQL Server instance, for example through a phishing link, a crafted ODBC data source, or an application configuration that points to an attacker-controlled host. Once the OLE DB provider parses the malicious response, code execution occurs without further user action. The attack is performed over the network at the typical SQL Server port (TCP/1433 by default).

No public proof-of-concept has been published, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is 1.583% (81.9th percentile), indicating elevated but not confirmed in-the-wild exploitation likelihood.

Detection Methods for CVE-2024-21450

Indicators of Compromise

• Outbound TCP/1433 (or custom SQL Server port) connections from workstations or application servers to untrusted external IP addresses.
• Unexpected child processes spawned from applications hosting the OLE DB provider, such as Excel, Power BI, SSMS, or custom line-of-business tools.
• Crashes or anomalous heap exceptions in processes loading msoledbsql.dll or sqloledb.dll.
• New or modified ODBC/OLE DB Data Source Names (DSNs) pointing to unknown hosts in HKLM\SOFTWARE\ODBC or HKCU\SOFTWARE\ODBC.

Detection Strategies

• Hunt for processes that load msoledbsql.dll or sqloledb.dll and subsequently initiate suspicious child processes such as cmd.exe, powershell.exe, or rundll32.exe.
• Alert on Office or business intelligence applications establishing direct outbound connections on TCP/1433 to non-corporate destinations.
• Correlate Windows Error Reporting events for access violations in processes hosting OLE DB with concurrent SQL Server connections to external addresses.

Monitoring Recommendations

• Enable network egress logging for SQL Server protocol ports and restrict outbound 1433/tcp at the perimeter to known database hosts.
• Inventory endpoints running the WDAC OLE DB provider and verify March 2024 cumulative updates are applied.
• Monitor changes to ODBC and OLE DB connection strings deployed through Group Policy Preferences and registry hives.

How to Mitigate CVE-2024-21450

Immediate Actions Required

• Apply the March 2024 Microsoft security updates to every affected Windows 10, Windows 11, and Windows Server system per the Microsoft Vulnerability Advisory.
• Update standalone deployments of the Microsoft OLE DB Driver for SQL Server (msoledbsql) to the latest vendor-supplied release on application and ETL servers.
• Educate users with database client tooling to refuse connection prompts to unknown or unsolicited SQL Server hosts.

Patch Information

Microsoft released fixes on March 12, 2024 as part of Patch Tuesday. The update is delivered through the monthly Windows cumulative updates for each supported Windows release. Refer to the Microsoft Vulnerability Advisory for the KB article matching each affected platform.

Workarounds

• Block outbound TCP/1433 and other SQL Server ports at the firewall except to approved internal database servers, preventing connections to attacker-controlled hosts.
• Restrict use of the OLE DB provider in untrusted contexts by removing or disabling unused DSNs and connection strings on user endpoints.
• Apply application allow-listing to limit which processes may load msoledbsql.dll and sqloledb.dll.

# Block outbound SQL Server traffic to non-corporate destinations (Windows Firewall example)
New-NetFirewallRule -DisplayName "Block Outbound SQL 1433 to Untrusted" `
  -Direction Outbound -Protocol TCP -RemotePort 1433 `
  -RemoteAddress Internet -Action Block