CVE-2024-28910 Overview
CVE-2024-28910 is a remote code execution vulnerability affecting the Microsoft OLE DB Driver for SQL Server. The flaw is classified under [CWE-122] as a heap-based buffer overflow. An attacker can trigger code execution in the context of the client application that uses the driver to connect to a malicious or attacker-controlled SQL Server instance. Successful exploitation requires user interaction, typically convincing a victim to initiate a database connection. The vulnerability affects the standalone OLE DB Driver as well as installations bundled with Microsoft SQL Server 2019 and SQL Server 2022 on x64 platforms.
Critical Impact
Successful exploitation allows attackers to execute arbitrary code on the client system connecting to a malicious SQL Server, leading to full compromise of confidentiality, integrity, and availability.
Affected Products
- Microsoft OLE DB Driver for SQL Server
- Microsoft SQL Server 2019 (x64)
- Microsoft SQL Server 2022 (x64)
Discovery Timeline
- 2024-04-09 - CVE-2024-28910 published to NVD as part of Microsoft's April 2024 Patch Tuesday
- 2025-01-07 - Last updated in NVD database
Technical Details for CVE-2024-28910
Vulnerability Analysis
The vulnerability resides in the Microsoft OLE DB Driver for SQL Server, the client-side component used by applications to communicate with SQL Server databases using the Tabular Data Stream (TDS) protocol. The driver mishandles data returned from a server response, resulting in a heap-based buffer overflow on the connecting client. Exploitation requires an attacker to host or control a malicious SQL Server endpoint and convince a victim to connect to it. Because the flaw triggers in the client process, code execution occurs with the privileges of the user running the application that loaded the driver. The attack vector is network-based, attack complexity is low, and no authentication is required against the client, though user interaction is necessary to initiate the connection.
Root Cause
The defect is a heap-based buffer overflow [CWE-122] in the OLE DB Driver's handling of server-supplied data. The driver allocates a heap buffer of insufficient size for attacker-controlled response fields, allowing out-of-bounds writes that corrupt adjacent heap structures. An attacker who controls the heap layout can leverage the corruption to redirect execution flow.
Attack Vector
Exploitation requires the victim to initiate an outbound database connection to a malicious server controlled by the attacker. Common scenarios include applications that allow user-supplied connection strings, linked server queries, ad hoc data import tools, or Microsoft Office data connections. The attacker delivers a crafted TDS response that triggers the overflow when parsed by the client-side driver.
No public proof-of-concept code is available for CVE-2024-28910. Refer to the Microsoft Security Update for CVE-2024-28910 for vendor-specific technical details.
Detection Methods for CVE-2024-28910
Indicators of Compromise
- Unexpected outbound TCP connections from client applications to untrusted hosts on port 1433 or other SQL Server listener ports.
- Crashes or abnormal terminations of processes that load msoledbsql.dll or msoledbsql19.dll.
- Child processes spawned by applications such as excel.exe, sqlcmd.exe, or custom line-of-business tools immediately following a database connection attempt.
- Heap corruption Windows Error Reporting (WER) events referencing the OLE DB Driver modules.
Detection Strategies
- Monitor process creation events where the parent process has loaded the OLE DB Driver DLL and the child process is a shell, scripting host, or LOLBin.
- Inspect network telemetry for connections from client workstations to SQL Server endpoints outside the corporate database tier.
- Correlate Windows crash dumps tagged with msoledbsql module faults across the fleet to identify exploitation attempts.
Monitoring Recommendations
- Enable Sysmon Event ID 7 to track module loads of msoledbsql*.dll by non-database applications.
- Alert on Office applications or browsers establishing TDS connections, as these rarely connect to SQL Server directly in normal workflows.
- Track DNS queries and outbound connection attempts to domains and IPs not on the approved database server inventory.
How to Mitigate CVE-2024-28910
Immediate Actions Required
- Apply the Microsoft security updates for the OLE DB Driver for SQL Server and SQL Server 2019/2022 released in April 2024.
- Inventory all systems with msoledbsql.dll installed, including developer workstations and application servers, and prioritize patching of internet-exposed or user-facing hosts.
- Restrict outbound TCP port 1433 and other SQL listener ports at the perimeter firewall to known database servers only.
- Educate users to avoid pasting untrusted connection strings into Excel, Power Query, SSMS, or other data-connection tools.
Patch Information
Microsoft released fixed versions of the OLE DB Driver for SQL Server alongside cumulative updates for SQL Server 2019 and 2022. Consult the Microsoft Security Update for CVE-2024-28910 for the specific build numbers and download links applicable to each affected product.
Workarounds
- Block outbound TDS traffic (default port 1433) from endpoints that do not require direct SQL Server access.
- Disable or remove the OLE DB Driver on systems that do not require database connectivity.
- Apply application-level controls that restrict connection strings to an allowlist of approved database servers.
# Example: Block outbound TDS traffic from a Windows client to non-approved hosts
New-NetFirewallRule -DisplayName "Block Outbound SQL TDS" `
-Direction Outbound `
-Protocol TCP `
-RemotePort 1433 `
-Action Block `
-RemoteAddress Any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
