CVE-2024-28913: OLE DB Driver for SQL Server RCE Flaw

CVE-2024-28913 Overview

CVE-2024-28913 is a remote code execution vulnerability in the Microsoft OLE DB Driver for SQL Server. The flaw is classified as a heap-based buffer overflow [CWE-122] and affects the database connectivity component used by client applications to communicate with Microsoft SQL Server instances. Successful exploitation allows an attacker to execute arbitrary code in the context of the user running the vulnerable client application. The vulnerability requires user interaction, typically by tricking a victim into connecting to an attacker-controlled SQL Server. Microsoft published the advisory on April 9, 2024, and the entry was last updated on January 7, 2025.

Critical Impact

Attackers who lure a user into connecting to a malicious SQL Server can corrupt heap memory in the OLE DB Driver and gain remote code execution on the client host with full confidentiality, integrity, and availability impact.

Affected Products

• Microsoft OLE DB Driver for SQL Server
• Microsoft SQL Server 2019 (x64)
• Microsoft SQL Server 2022 (x64)

Discovery Timeline

• 2024-04-09 - CVE-2024-28913 published to NVD with Microsoft's security advisory
• 2025-01-07 - Last updated in NVD database

Technical Details for CVE-2024-28913

Vulnerability Analysis

The vulnerability resides in the Microsoft OLE DB Driver for SQL Server, the client-side library applications use to issue queries and receive results from SQL Server. The driver mishandles data returned from a server during connection or query response processing, producing a heap-based buffer overflow [CWE-122]. An attacker who controls the SQL Server endpoint can craft malformed response packets that overflow an allocated buffer on the client heap. Memory corruption of this class can be steered toward arbitrary code execution by overwriting adjacent heap metadata or object pointers used by the driver. Because the driver is loaded in-process by the calling application, code execution occurs at the privilege level of that application.

Root Cause

The root cause is improper bounds validation when the OLE DB Driver parses server-supplied data into a heap-allocated buffer. The driver allocates a buffer based on one length value but copies data using an attacker-influenced size, producing the overflow.

Attack Vector

Exploitation is network-based but requires user interaction. The victim must initiate a connection from a vulnerable client to a SQL Server instance controlled by the attacker, for example through a crafted connection string, a phishing-delivered ODBC data source file, or a tampered application configuration. Once the client connects, the malicious server returns the overflow-triggering payload during the handshake or query response phase. No authentication on the client side is required for the malicious server to send the payload.

// No verified public proof-of-concept is available for CVE-2024-28913.
// Refer to the Microsoft Security Response Center advisory for technical details.

Detection Methods for CVE-2024-28913

Indicators of Compromise

• Unexpected outbound TCP connections from workstations or application servers to SQL Server endpoints (default port 1433) on untrusted networks.
• Crashes, access violations, or unexpected restarts in processes that load msoledbsql.dll or oledbsql.dll.
• Child processes such as cmd.exe, powershell.exe, or rundll32.exe spawned by applications that normally only host database client code.
• Creation of ODBC or OLE DB data source files (.udl, .dsn) pointing to external or unknown SQL Server hosts.

Detection Strategies

• Monitor process telemetry for modules loading msoledbsql.dll followed by suspicious child process creation or memory allocation patterns consistent with shellcode execution.
• Inspect network flows for connections from end-user devices to SQL Server ports on internet-routable or non-corporate ranges.
• Correlate Windows Error Reporting and application crash events for modules belonging to the OLE DB Driver across the fleet.

Monitoring Recommendations

• Inventory all hosts with the Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL) installed and track installed versions against Microsoft's patched build list.
• Alert on first-seen SQL Server destinations from each client to surface social-engineering-driven connections to attacker infrastructure.
• Log and review changes to connection strings in application configuration files and registry-stored DSNs.

How to Mitigate CVE-2024-28913

Immediate Actions Required

• Apply the Microsoft security update for the OLE DB Driver for SQL Server referenced in the Microsoft CVE-2024-28913 Advisory to all affected clients and SQL Server 2019 and 2022 installations.
• Identify every application that bundles or depends on msoledbsql.dll and ensure each is updated, as the driver is frequently redistributed with third-party software.
• Restrict outbound TCP/1433 and TCP/1434 traffic from user workstations to only approved SQL Server hosts.

Patch Information

Microsoft has released updated versions of the OLE DB Driver for SQL Server (MSOLEDBSQL) and corresponding cumulative updates for SQL Server 2019 and SQL Server 2022. Patch details, downloadable installers, and the full list of fixed builds are available in the Microsoft CVE-2024-28913 Advisory.

Workarounds

• Block outbound connections from end-user systems to SQL Server ports outside of approved internal ranges using host or perimeter firewalls.
• Enforce application allowlisting to prevent execution of binaries delivered alongside malicious .udl or .dsn files.
• Train users to refuse connection prompts and data source files originating from email or untrusted file shares until patches are deployed.

# Example: block outbound SQL Server traffic on Windows clients except to an approved server
New-NetFirewallRule -DisplayName "Block outbound SQL Server" -Direction Outbound \
  -Protocol TCP -RemotePort 1433,1434 -Action Block -Profile Any

New-NetFirewallRule -DisplayName "Allow approved SQL Server" -Direction Outbound \
  -Protocol TCP -RemoteAddress 10.10.20.50 -RemotePort 1433 -Action Allow -Profile Any